marndt
/
gc-infra
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
gc-infra/iac/ansible/roles/authentik/templates/docker-compose.yml.j2

101 lines
3.9 KiB
Django/Jinja
Raw Blame History

---
networks:
traefik_public:
external: true
internal:
services:
postgresql:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $POSTGRES_DB -U $POSTGRES_USER"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- /mnt/cephfs/authentik/data/db:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: "{{ pg_pass }}"
POSTGRES_USER: "{{ pg_user | default('authentik') }}"
POSTGRES_DB: "{{ pg_db | default('authentik') }}"
networks:
- internal
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- /mnt/cephfs/authentik/data/cache:/data
networks:
- internal
server:
image: "{{ authentik_image | default('ghcr.io/goauthentik/server') }}:{{ authentik_tag | default('2025.6.3') }}"
restart: unless-stopped
command: server
environment:
AUTHENTIK_SECRET_KEY: "{{ authentik_secret_key }}"
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: "{{ pg_user | default('authentik') }}"
AUTHENTIK_POSTGRESQL__NAME: "{{ pg_db | default('authentik') }}"
AUTHENTIK_POSTGRESQL__PASSWORD: "{{ pg_pass }}"
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
volumes:
- /mnt/cephfs/authentik/data/media:/media
- /mnt/cephfs/authentik/data/templates:/templates
networks:
- traefik_public
- internal
deploy:
labels:
traefik.enable: "true"
traefik.swarm.network: {{ traefik_net }}
traefik.http.routers.authentik.rule: Host(`{{ traefik_route }}`) || HostRegexp(`{subdomain:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?}.genius.ceo`) && PathPrefix(`/outpost.goauthentik.io/`)
traefik.http.routers.authentik.entrypoints: https
traefik.http.routers.authentik.tls: "true"
traefik.http.routers.authentik.tls.certresolver: main
traefik.http.services.authentik.loadbalancer.server.port: 9000
# - "traefik.enable=true"
# - "traefik.swarm.network={{ traefik_net }}"
# - "traefik.http.routers.authentik.rule=Host(`{{ traefik_route }}`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.genius.ceo`) && PathPrefix(`/outpost.goauthentik.io/`)"
# - "traefik.http.routers.authentik.entrypoints=https"
# - "traefik.http.routers.authentik.tls=true"
# - "traefik.http.routers.authentik.tls.certresolver=main"
# - "traefik.http.services.authentik.loadbalancer.server.port=9000"
worker:
image: "{{ authentik_image | default('ghcr.io/goauthentik/server') }}:{{ authentik_tag | default('2025.6.3') }}"
restart: unless-stopped
command: worker
environment:
AUTHENTIK_SECRET_KEY: "{{ authentik_secret_key }}"
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: "{{ pg_user | default('authentik') }}"
AUTHENTIK_POSTGRESQL__NAME: "{{ pg_db | default('authentik') }}"
AUTHENTIK_POSTGRESQL__PASSWORD: "{{ pg_pass }}"
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /mnt/cephfs/authentik/data/media:/media
- /mnt/cephfs/authentik/data/certs:/certs
- /mnt/cephfs/authentik/data/templates:/templates
networks:
- internal
Reference in New Issue View Git Blame Copy Permalink