518d80ec71
Bundle of cross-role changes for the gymb services deployment: - Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new *_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit tls.certresolver only when traefik_cert_mode == acme (drawio, homarr, opnform, send). - Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container /etc/hosts overrides so containers reach the IdP public FQDN over the LAN. - bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"), allowing non-Entra IdPs that override bookstack_oidc_issuer. - homarr: derive the bcrypt salt from the password digest so the admin hash is idempotent — no spurious template changes / container restarts. - opnform: PATCH an existing OIDC connection instead of skipping (applies corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after bootstrap) and an optional direct-SSO ingress entrypoint. Docs: READMEs and meta/argument_specs.yml updated for all new variables.
45 lines
No EOL
2.1 KiB
Django/Jinja
45 lines
No EOL
2.1 KiB
Django/Jinja
#---------------------------------------------------------------------#
|
|
# Homarr — A simple, yet powerful dashboard for your server. #
|
|
#---------------------------------------------------------------------#
|
|
services:
|
|
homarr:
|
|
container_name: homarr
|
|
image: {{ homarr_image }}
|
|
restart: unless-stopped
|
|
volumes:
|
|
{% if homarr_use_docker %}
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
{% endif %}
|
|
- {{ homarr_docker_volume_dir }}/homarr/appdata:/appdata
|
|
environment:
|
|
TZ: "Europe/Zurich"
|
|
BASE_URL: "{{ homarr_base_url }}"
|
|
NEXTAUTH_URL: "{{ homarr_base_url }}"
|
|
SECRET_ENCRYPTION_KEY: "{{ homarr_secret_encryption_key }}"
|
|
AUTH_PROVIDERS: "{{ homarr_auth_providers }}"
|
|
AUTH_OIDC_ISSUER: "{{ homarr_oidc_issuer }}"
|
|
AUTH_OIDC_CLIENT_ID: "{{ homarr_oidc_client_id }}"
|
|
AUTH_OIDC_CLIENT_SECRET: "{{ homarr_oidc_client_secret }}"
|
|
AUTH_OIDC_CLIENT_NAME: "{{ homarr_oidc_client_name | default('Keycloak') }}"
|
|
AUTH_OIDC_SCOPE_OVERWRITE: "{{ homarr_oidc_scopes | default('openid email profile groups') }}"
|
|
AUTH_OIDC_GROUPS_ATTRIBUTE: "{{ homarr_oidc_groups_attribute | default('groups') }}"
|
|
AUTH_OIDC_AUTO_LOGIN: "{{ homarr_oidc_auto_login | default('false') }}"
|
|
networks:
|
|
- {{ homarr_traefik_network }}
|
|
labels:
|
|
- traefik.enable=true
|
|
- traefik.docker.network={{ homarr_traefik_network }}
|
|
- traefik.http.routers.homarr.rule={% set _all_domains = [homarr_domain] + (homarr_extra_domains | default([])) %}{% for d in _all_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%}
|
|
{% if homarr_use_ssl %}
|
|
- traefik.http.routers.homarr.entrypoints=websecure
|
|
- traefik.http.routers.homarr.tls=true
|
|
{% if traefik_cert_mode | default('selfsigned') == 'acme' %}
|
|
- traefik.http.routers.homarr.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }}
|
|
{% endif %}
|
|
{% else %}
|
|
- traefik.http.routers.homarr.entrypoints=web
|
|
{% endif %}
|
|
- traefik.http.services.homarr.loadbalancer.server.port={{ homarr_port }}
|
|
networks:
|
|
{{ homarr_traefik_network }}:
|
|
external: true |