Init commit

2025-10-18 00:31:23 +01:00
commit fcd081c1c5
30 changed files with 4912 additions and 0 deletions
--- a/docker/.env.authentik
+++ b/docker/.env.authentik
@@ -0,0 +1,2 @@
+PG_PASS=tqEJ1Hp2j6Z0WsHhhfkUCEfLRmFII6xu761k4CD1ZMQA93lm
+AUTHENTIK_SECRET_KEY=dbHWpMFDVSUMqCuu1pmGJi2qV/8f61pnHlySudK+/pbCpb3RBZI8pw8nhkIGWvXH1lcuyNq5bt8LI8d3
--- a/docker/docker-compose.authentik.yaml
+++ b/docker/docker-compose.authentik.yaml
@@ -0,0 +1,106 @@
+name: authentik
+
+x-logging: &default-logging
+  options:
+    max-size: 32m
+    max-file: 4
+
+services:
+  authentik-postgresql:
+    container_name: authentik-postgresql
+    image: docker.io/library/postgres:16.8-alpine3.21
+    restart: unless-stopped
+    env_file:
+      - .env
+      - .env.authentik
+    logging: *default-logging
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    environment:
+      POSTGRES_PASSWORD: ${AUTHENTIK_PG_PASS:?database password required}
+      POSTGRES_USER: authentik
+      POSTGRES_DB: authentik
+    volumes:
+      - ./authentik/postgres:/var/lib/postgresql/data
+  authentik-redis:
+    container_name: authentik-redis
+    image: docker.io/library/redis:8.2.1-alpine3.22
+    restart: unless-stopped
+    env_file:
+      - .env
+      - .env.authentik
+    logging: *default-logging
+    command: --save 60 1 --loglevel warning
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ./authentik/redis:/data
+  authentik-server:
+    container_name: authentik-server
+    image: ghcr.io/goauthentik/server:2025.8.1
+    restart: unless-stopped
+    env_file:
+      - .env
+      - .env.authentik
+    logging: *default-logging
+    depends_on:
+      authentik-postgresql:
+        condition: service_healthy
+      authentik-redis:
+        condition: service_healthy
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: authentik-redis
+      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
+      AUTHENTIK_POSTGRESQL__USER: authentik
+      AUTHENTIK_POSTGRESQL__NAME: authentik
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
+    volumes:
+      - ./authentik/custom-templates:/templates
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.authentik.entryPoints=https
+      - traefik.http.routers.authentik.rule=Host(`authentik.home.joemonk.co.uk`) || (HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.home.joemonk.co.uk`) && PathPrefix(`/outpost.goauthentik.io/`))
+      - traefik.http.routers.authentik.tls=true
+      - traefik.http.routers.authentik.tls.certresolver=letsencrypt
+      - traefik.http.routers.authentik.tls.domains[0].main=authentik.home.joemonk.co.uk
+      - traefik.http.routers.authentik.service=authentik
+      - traefik.http.services.authentik.loadbalancer.server.port=9000
+
+      - traefik.http.middlewares.authentik-traefik.forwardAuth.address=http:/authentik-server:9000/outpost.goauthentik.io/auth/traefik
+      - traefik.http.middlewares.authentik-traefik.forwardAuth.trustForwardHeader=true
+      - traefik.http.middlewares.authentik-traefik.forwardAuth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
+
+  authentik-worker:
+    container_name: authentik-worker
+    image: ghcr.io/goauthentik/server:2025.8.1
+    restart: unless-stopped
+    env_file:
+      - .env
+      - .env.authentik
+    logging: *default-logging
+    depends_on:
+      authentik-postgresql:
+        condition: service_healthy
+      authentik-redis:
+        condition: service_healthy
+    command: worker
+    user: root
+    environment:
+      AUTHENTIK_REDIS__HOST: authentik-redis
+      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
+      AUTHENTIK_POSTGRESQL__USER: authentik
+      AUTHENTIK_POSTGRESQL__NAME: authentik
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./authentik/certs:/certs
+      - ./authentik/custom-templates:/templates
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@@ -0,0 +1,73 @@
+
+x-logging: &default-logging
+  options:
+    max-size: 32m
+    max-file: 4
+
+services:
+  traefik:
+    container_name: traefik
+    image: traefik:3.5.1
+    restart: unless-stopped
+    env_file: .env
+    logging: *default-logging
+    depends_on:
+      - authelia
+    command:
+      - --api.insecure=true
+      - --providers.docker=true
+      - --providers.docker.watch=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.file.directory=/config
+      - --providers.file.watch=true
+
+      - --accesslog
+      - --accesslog.format=json
+
+      - --entryPoints.http.address=:80
+
+      - --entryPoints.http.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/14,192.168.0.0/16,fc00::/7
+      - --entryPoints.http.proxyProtocol.trustedIPs=192.168.0.0/16
+      - --entryPoints.http.forwardedHeaders.insecure=false
+      - --entryPoints.http.proxyProtocol.insecure=false
+
+      - --entryPoints.https=true
+      - --entryPoints.https.address=:443
+      - --entryPoints.https.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/14,192.168.0.0/16,fc00::/7
+      - --entryPoints.https.proxyProtocol.trustedIPs=192.168.0.0/16
+      - --entryPoints.https.forwardedHeaders.insecure=false
+      - --entryPoints.https.proxyProtocol.insecure=false
+
+      - --entryPoints.http.http.redirections.entrypoint.to=https
+      - --entryPoints.http.http.redirections.entrypoint.scheme=https
+
+      - --certificatesresolvers.letsencrypt
+      - --certificatesresolvers.letsencrypt.acme.storage=acme.json
+      - --certificatesresolvers.letsencrypt.acme.email=joemonk@hotmail.co.uk
+      - --certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=route53
+      # Uncomment to use the staging env for testing volumes etc
+      - --certificatesresolvers.letsencrypt.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+    ports:
+      - 80:80
+      - 443:443
+      - 8080:8080
+    volumes:
+      - /mnt/cache/appdata/traefik/config:/config
+      - /mnt/user/appdata/traefik/letsencrypt/acme.json:/acme.json
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    labels:
+      - traefik.enable=true
+
+      - traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth
+      - traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true
+      - traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
+
+      - traefik.http.routers.traefik.entryPoints=https
+      - traefik.http.routers.traefik.rule=Host(`traefik.home.joemonk.co.uk`)
+      - traefik.http.routers.traefik.tls=true
+      - traefik.http.routers.traefik.tls.certresolver=letsencrypt
+      - traefik.http.routers.traefik.tls.domains[0].main=traefik.home.joemonk.co.uk
+      - traefik.http.routers.traefik.service=traefik
+      - traefik.http.routers.traefik.middlewares=authentik-traefik@docker
+
+      - traefik.http.services.traefik.loadbalancer.server.port=8080