traefik-authelia/docker-compose.yml
Guillaume "B.B." Van Hemmen f6414a6ae5 #0000 - Add initial project setup with configs, user db, and Docker Compose
This commit adds the foundational setup for the project, including docker-compose.yml, .env.dist, users_database.yml.dist, and Authelia configurations. It also includes the MIT license and a README with installation instructions and usage. The .gitignore file has been updated to exclude sensitive files.
2024-10-10 15:46:06 +02:00

146 lines
5.3 KiB
YAML

networks:
network:
name: traefik_network
volumes:
redis:
mysql_data:
services:
reverse-proxy:
image: traefik:v3.1 # The official Traefik docker image
command:
- '--api=true'
- '--api.dashboard=${ENABLE_TRAEFIK_DASHBOARD:-false}'
- '--api.insecure=false'
- '--global.sendAnonymousUsage=false'
- '--global.checkNewVersion=false'
- '--log=true'
- '--log.level=WARN'
- '--providers.docker=true' # Enabling docker provider
- '--providers.docker.exposedbydefault=false' # Do not expose containers unless explicitly told so
- '--entrypoints.web.address=:80' # Traefik will listen to incoming request on the port 80 (HTTP)
- '--entrypoints.web.http.redirections.entrypoint.to=websecure'
- '--entrypoints.web.http.redirections.entrypoint.scheme=https'
## Please see the Forwarded Header Trust section of the Authelia Traefik Integration documentation.
- '--entryPoints.web.forwardedHeaders.trustedips=${TRUSTED_IPS:-}'
- '--entryPoints.web.proxyProtocol.trustedips=${TRUSTED_IPS:-}'
- '--entryPoints.web.forwardedHeaders.insecure=false'
- '--entryPoints.web.proxyProtocol.insecure=false'
- '--entrypoints.websecure.address=:443' # Traefik will listen to incoming request on the port 443 (HTTPS)
## Please see the Forwarded Header Trust section of the Authelia Traefik Integration documentation.
- '--entryPoints.websecure.forwardedHeaders.trustedips=${TRUSTED_IPS:-}'
- '--entryPoints.websecure.proxyProtocol.trustedips=${TRUSTED_IPS:-}'
- '--entryPoints.websecure.forwardedHeaders.insecure=false'
- '--entryPoints.websecure.proxyProtocol.insecure=false'
- '--certificatesresolvers.myresolver.acme.httpchallenge=true' # Enable a http challenge named 'myresolver'
- '--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web' # Tell it to use our predefined entrypoint named 'web'
- '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}' # The email to provide to let's encrypt
- '--certificatesresolvers.myresolver.acme.storage=/acme.json' # Tell to store the certificate on a path under our volume
networks:
- network
ports:
- target: 80
published: 80
mode: host
- target: 443
published: 443
mode: host
volumes:
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
- ../acme.json:/acme.json
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.traefik-api.rule=Host(`${TRAEFIK_DASHBOARD_FQDN}`)'
- 'traefik.http.routers.traefik-api.entryPoints=websecure'
- 'traefik.http.routers.traefik-api.service=api@internal'
- "traefik.http.routers.traefik-api.tls.certresolver=myresolver"
- "traefik.http.services.traefik-api.loadbalancer.server.port=8080"
- 'traefik.http.routers.traefik-api.middlewares=authelia@docker'
deploy:
replicas: 1
restart_policy:
condition: any
delay: 5s
# from https://www.authelia.com/integration/proxies/traefik/
authelia:
image: authelia/authelia:4
depends_on:
- mariadb-service
- redis
networks:
- network
volumes:
- ./authelia:/config
environment:
TZ: "Europe/Paris"
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`${AUTHELIA_FQDN}`)'
- 'traefik.http.routers.authelia.entryPoints=websecure'
- 'traefik.http.routers.authelia.tls=true'
- "traefik.http.routers.authelia.tls.certresolver=myresolver"
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2F${AUTHELIA_FQDN}%2F'
- 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
- 'traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia:9091/api/verify?auth=basic'
- 'traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
mariadb-service:
image: mariadb:11
environment:
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
MYSQL_DATABASE: ${MYSQL_DATABASE}
volumes:
- mysql_data:/var/lib/mysql
networks:
- network
deploy:
replicas: 1
restart_policy:
condition: any
delay: 5s
mysql-cron-backup:
image: fradelg/mysql-cron-backup:1.13.1
networks:
- network
depends_on:
- mariadb-service
volumes:
- ${MYSQL_BACKUP_PATH}:/backup
environment:
- MYSQL_HOST=mariadb-service
- MYSQL_USER=root
- MYSQL_PASS=${MYSQL_ROOT_PASSWORD}
- MAX_BACKUPS=365
- INIT_BACKUP=1
# Every day at 03:00
- CRON_TIME=0 3 * * *
# Make it small
- GZIP_LEVEL=9
deploy:
replicas: 1
restart_policy:
condition: any
delay: 5s
redis:
image: redis:7-alpine
networks:
- network
volumes:
- redis:/data
deploy:
replicas: 1
restart_policy:
condition: any
delay: 5s
healthcheck:
test: [ "CMD", "redis-cli", "ping" ]
interval: 1s
timeout: 5s
retries: 10