selfhosted/authelia.yml at main · hosaka/selfhosted · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
networks:
  proxy:
  authelia:
  ldap:

volumes:
  authelia-database-data:
  authelia-redis-data:
  lldap-data:

services:
  authelia:
    image: ghcr.io/authelia/authelia:4.39.19
    depends_on:
      authelia-redis:
        condition: service_healthy
      authelia-database:
        condition: service_healthy
    environment:
      - TZ=${TIMEZONE}
      - PROXY_PUBLIC_DOMAIN=${PROXY_PUBLIC_DOMAIN}
      - PROXY_PRIVATE_DOMAIN=${PROXY_PRIVATE_DOMAIN}
      # enables template expansion in configuration.yml
      - X_AUTHELIA_CONFIG_FILTERS=template
      - LLDAP_BASE_DN=${LLDAP_BASE_DN}
      - AUTH_LDAP_PASSWORD=${AUTH_LDAP_PASSWORD}
      - AUTH_SESSION_SECRET=${AUTH_SESSION_SECRET}
      - AUTH_STORAGE_ENCRYPTION_KEY=${AUTH_STORAGE_ENCRYPTION_KEY}
      - AUTH_DB_DATABASE_NAME=${AUTH_DB_DATABASE_NAME:-authelia}
      - AUTH_DB_USERNAME=${AUTH_DB_USERNAME}
      - AUTH_DB_PASSWORD=${AUTH_DB_PASSWORD}
      - AUTH_SMTP_ADDRESS=${AUTH_SMTP_ADDRESS}
      - AUTH_SMTP_USERNAME=${AUTH_SMTP_USERNAME}
      - AUTH_SMTP_PASSWORD=${AUTH_SMTP_PASSWORD}
      - AUTH_SMTP_SENDER=${AUTH_SMTP_SENDER}
      - AUTH_JWT_SECRET=${AUTH_JWT_SECRET}
      # clients
      - AUTH_FORGEJO_CLIENT_ID=${AUTH_FORGEJO_CLIENT_ID}
      - AUTH_FORGEJO_CLIENT_SECRET_HASH=${AUTH_FORGEJO_CLIENT_SECRET_HASH}
      - AUTH_GOTIFY_CLIENT_ID=${AUTH_GOTIFY_CLIENT_ID}
      - AUTH_GOTIFY_CLIENT_SECRET_HASH=${AUTH_GOTIFY_CLIENT_SECRET_HASH}
      - AUTH_GRAFANA_CLIENT_ID=${AUTH_GRAFANA_CLIENT_ID}
      - AUTH_GRAFANA_CLIENT_SECRET_HASH=${AUTH_GRAFANA_CLIENT_SECRET_HASH}
      - AUTH_IMMICH_CLIENT_ID=${AUTH_IMMICH_CLIENT_ID}
      - AUTH_IMMICH_CLIENT_SECRET_HASH=${AUTH_IMMICH_CLIENT_SECRET_HASH}
      - AUTH_JELLYFIN_CLIENT_ID=${AUTH_JELLYFIN_CLIENT_ID}
      - AUTH_JELLYFIN_CLIENT_SECRET_HASH=${AUTH_JELLYFIN_CLIENT_SECRET_HASH}
      - AUTH_KAVITA_CLIENT_ID=${AUTH_KAVITA_CLIENT_ID}
      - AUTH_KAVITA_CLIENT_SECRET_HASH=${AUTH_KAVITA_CLIENT_SECRET_HASH}
      - AUTH_PAPERLESS_CLIENT_ID=${AUTH_PAPERLESS_CLIENT_ID}
      - AUTH_PAPERLESS_CLIENT_SECRET_HASH=${AUTH_PAPERLESS_CLIENT_SECRET_HASH}
      - AUTH_VAULTWARDEN_CLIENT_ID=${AUTH_VAULTWARDEN_CLIENT_ID}
      - AUTH_VAULTWARDEN_CLIENT_SECRET_HASH=${AUTH_VAULTWARDEN_CLIENT_SECRET_HASH}
      - AUTH_WAKAPI_CLIENT_ID=${AUTH_WAKAPI_CLIENT_ID}
      - AUTH_WAKAPI_CLIENT_SECRET_HASH=${AUTH_WAKAPI_CLIENT_SECRET_HASH}
    expose:
      - 9091 # api
    extends:
      file: common.yml
      service: log-to-json
    healthcheck:
      disable: false
    networks:
      - proxy
      - authelia
      - ldap
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./authelia/jwks/private.pem:/config/jwks/private.pem:ro
      - ./authelia/configuration.yml:/config/configuration.yml:ro

  authelia-redis:
    image: docker.io/valkey/valkey:8-alpine
    command: --save 30 1 --loglevel warning
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    expose:
      - 6379 # api
    extends:
      file: common.yml
      service: log-to-json
    healthcheck:
      test: redis-cli ping
    networks:
      - authelia
    restart: unless-stopped
    volumes:
      - authelia-redis-data:/data

  authelia-database:
    image: docker.io/postgres:14-alpine
    environment:
      - POSTGRES_USER=${AUTH_DB_USERNAME}
      - POSTGRES_PASSWORD=${AUTH_DB_PASSWORD}
      - POSTGRES_DB=${AUTH_DB_DATABASE_NAME}
    expose:
      - 5432 # db
    extends:
      file: common.yml
      service: log-to-json
    healthcheck:
      test: pg_isready --dbname='${AUTH_DB_DATABASE_NAME}' --username='${AUTH_DB_USERNAME}'
    networks:
      - authelia
    restart: unless-stopped
    volumes:
      - authelia-database-data:/var/lib/postgresql/data

  lldap:
    # todo: figure out how to create default authelia user/pwd with lldap_password_manager gruop
    # probably using the lldap bootstrap.sh script as suggested in the readme
    image: ghcr.io/lldap/lldap:v0.6.2-alpine
    environment:
      - LLDAP_LDAP_BASE_DN=${LLDAP_BASE_DN}
      - LLDAP_LDAP_USER_PASS=${LLDAP_USER_PASS}
      - LLDAP_JWT_SECRET=${LLDAP_JWT_SECRET}
      - LLDAP_KEY_SEED=${LLDAP_KEY_SEED}
      - TZ=${TIMEZONE}
    expose:
      - 3890 # ldap
      # - 6360 # ldaps (ldap over ssl)
      - 17170 # webui
    extends:
      file: common.yml
      service: log-to-json
    networks:
      - ldap
      - proxy
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - lldap-data:/data