Guillaume "B.B." Van Hemmen
f6414a6ae5
This commit adds the foundational setup for the project, including docker-compose.yml, .env.dist, users_database.yml.dist, and Authelia configurations. It also includes the MIT license and a README with installation instructions and usage. The .gitignore file has been updated to exclude sensitive files.
146 lines
5.3 KiB
YAML
146 lines
5.3 KiB
YAML
networks:
|
|
network:
|
|
name: traefik_network
|
|
|
|
volumes:
|
|
redis:
|
|
mysql_data:
|
|
|
|
services:
|
|
|
|
reverse-proxy:
|
|
image: traefik:v3.1 # The official Traefik docker image
|
|
command:
|
|
- '--api=true'
|
|
- '--api.dashboard=${ENABLE_TRAEFIK_DASHBOARD:-false}'
|
|
- '--api.insecure=false'
|
|
- '--global.sendAnonymousUsage=false'
|
|
- '--global.checkNewVersion=false'
|
|
- '--log=true'
|
|
- '--log.level=WARN'
|
|
- '--providers.docker=true' # Enabling docker provider
|
|
- '--providers.docker.exposedbydefault=false' # Do not expose containers unless explicitly told so
|
|
- '--entrypoints.web.address=:80' # Traefik will listen to incoming request on the port 80 (HTTP)
|
|
- '--entrypoints.web.http.redirections.entrypoint.to=websecure'
|
|
- '--entrypoints.web.http.redirections.entrypoint.scheme=https'
|
|
## Please see the Forwarded Header Trust section of the Authelia Traefik Integration documentation.
|
|
- '--entryPoints.web.forwardedHeaders.trustedips=${TRUSTED_IPS:-}'
|
|
- '--entryPoints.web.proxyProtocol.trustedips=${TRUSTED_IPS:-}'
|
|
- '--entryPoints.web.forwardedHeaders.insecure=false'
|
|
- '--entryPoints.web.proxyProtocol.insecure=false'
|
|
- '--entrypoints.websecure.address=:443' # Traefik will listen to incoming request on the port 443 (HTTPS)
|
|
## Please see the Forwarded Header Trust section of the Authelia Traefik Integration documentation.
|
|
- '--entryPoints.websecure.forwardedHeaders.trustedips=${TRUSTED_IPS:-}'
|
|
- '--entryPoints.websecure.proxyProtocol.trustedips=${TRUSTED_IPS:-}'
|
|
- '--entryPoints.websecure.forwardedHeaders.insecure=false'
|
|
- '--entryPoints.websecure.proxyProtocol.insecure=false'
|
|
- '--certificatesresolvers.myresolver.acme.httpchallenge=true' # Enable a http challenge named 'myresolver'
|
|
- '--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web' # Tell it to use our predefined entrypoint named 'web'
|
|
- '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}' # The email to provide to let's encrypt
|
|
- '--certificatesresolvers.myresolver.acme.storage=/acme.json' # Tell to store the certificate on a path under our volume
|
|
networks:
|
|
- network
|
|
ports:
|
|
- target: 80
|
|
published: 80
|
|
mode: host
|
|
- target: 443
|
|
published: 443
|
|
mode: host
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
|
|
- ../acme.json:/acme.json
|
|
labels:
|
|
- 'traefik.enable=true'
|
|
- 'traefik.http.routers.traefik-api.rule=Host(`${TRAEFIK_DASHBOARD_FQDN}`)'
|
|
- 'traefik.http.routers.traefik-api.entryPoints=websecure'
|
|
- 'traefik.http.routers.traefik-api.service=api@internal'
|
|
- "traefik.http.routers.traefik-api.tls.certresolver=myresolver"
|
|
- "traefik.http.services.traefik-api.loadbalancer.server.port=8080"
|
|
- 'traefik.http.routers.traefik-api.middlewares=authelia@docker'
|
|
deploy:
|
|
replicas: 1
|
|
restart_policy:
|
|
condition: any
|
|
delay: 5s
|
|
|
|
# from https://www.authelia.com/integration/proxies/traefik/
|
|
authelia:
|
|
image: authelia/authelia:4
|
|
depends_on:
|
|
- mariadb-service
|
|
- redis
|
|
networks:
|
|
- network
|
|
volumes:
|
|
- ./authelia:/config
|
|
environment:
|
|
TZ: "Europe/Paris"
|
|
labels:
|
|
- 'traefik.enable=true'
|
|
- 'traefik.http.routers.authelia.rule=Host(`${AUTHELIA_FQDN}`)'
|
|
- 'traefik.http.routers.authelia.entryPoints=websecure'
|
|
- 'traefik.http.routers.authelia.tls=true'
|
|
- "traefik.http.routers.authelia.tls.certresolver=myresolver"
|
|
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2F${AUTHELIA_FQDN}%2F'
|
|
- 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
|
|
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
|
|
- 'traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia:9091/api/verify?auth=basic'
|
|
- 'traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true'
|
|
- 'traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
|
|
|
|
mariadb-service:
|
|
image: mariadb:11
|
|
environment:
|
|
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
|
|
MYSQL_DATABASE: ${MYSQL_DATABASE}
|
|
volumes:
|
|
- mysql_data:/var/lib/mysql
|
|
networks:
|
|
- network
|
|
deploy:
|
|
replicas: 1
|
|
restart_policy:
|
|
condition: any
|
|
delay: 5s
|
|
|
|
mysql-cron-backup:
|
|
image: fradelg/mysql-cron-backup:1.13.1
|
|
networks:
|
|
- network
|
|
depends_on:
|
|
- mariadb-service
|
|
volumes:
|
|
- ${MYSQL_BACKUP_PATH}:/backup
|
|
environment:
|
|
- MYSQL_HOST=mariadb-service
|
|
- MYSQL_USER=root
|
|
- MYSQL_PASS=${MYSQL_ROOT_PASSWORD}
|
|
- MAX_BACKUPS=365
|
|
- INIT_BACKUP=1
|
|
# Every day at 03:00
|
|
- CRON_TIME=0 3 * * *
|
|
# Make it small
|
|
- GZIP_LEVEL=9
|
|
deploy:
|
|
replicas: 1
|
|
restart_policy:
|
|
condition: any
|
|
delay: 5s
|
|
|
|
redis:
|
|
image: redis:7-alpine
|
|
networks:
|
|
- network
|
|
volumes:
|
|
- redis:/data
|
|
deploy:
|
|
replicas: 1
|
|
restart_policy:
|
|
condition: any
|
|
delay: 5s
|
|
healthcheck:
|
|
test: [ "CMD", "redis-cli", "ping" ]
|
|
interval: 1s
|
|
timeout: 5s
|
|
retries: 10
|