ce50bdb4d3
Add `*_authentik_forward_auth` + `*_authentik_forward_auth_url` knobs to both roles. When enabled: * drawio: traefik attaches a ForwardAuth middleware pointing at the authentik embedded outpost; unauthenticated requests get redirected to log in and downstream sees X-Authentik-* identity headers. * garage WebUI: same ForwardAuth wiring, and `AUTH_USER_PASS` is dropped from the container env so authentik is the only gate. Tasks now key the htpasswd hash workflow off `_garage_webui_htpasswd_active` (`webui_enabled AND NOT authentik_forward_auth`); when authentik fronts the UI we skip hashing entirely. htpasswd hash is also now cached on disk and re-verified via `htpasswd -vbB` so unchanged passwords stop showing as `changed=true` on every run. Both knobs default to `false`, preserving existing htpasswd/plain behaviour.
74 lines
No EOL
2.6 KiB
YAML
74 lines
No EOL
2.6 KiB
YAML
#SPDX-License-Identifier: MIT-0
|
|
---
|
|
# defaults file for garage
|
|
|
|
# Base directory configuration (inherited from base role or defined here)
|
|
docker_compose_base_dir: /etc/docker/compose
|
|
docker_volume_base_dir: /srv/data
|
|
|
|
# Garage-specific configuration
|
|
garage_service_name: garage
|
|
garage_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ garage_service_name }}"
|
|
garage_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ garage_service_name }}"
|
|
|
|
# Garage service configuration
|
|
garage_image: "dxflrs/garage:v2.1.0"
|
|
# FQDNs the garage S3 router accepts. The first entry is the canonical
|
|
# domain and is also used as the virtual-hosted-style root_domain in
|
|
# garage.toml; further entries cover internal *.int.* names.
|
|
garage_s3_domains:
|
|
- "storage.local.test"
|
|
garage_web_domain: "web.storage.local.test"
|
|
garage_webui_domain: "console.storage.local.test"
|
|
|
|
# Garage WebUI configuration
|
|
garage_webui_enabled: true
|
|
garage_webui_image: "khairul169/garage-webui:latest"
|
|
garage_webui_port: 3909
|
|
# WebUI basic auth credentials (plaintext, will be hashed automatically).
|
|
# Ignored when garage_webui_authentik_forward_auth is true — in that case
|
|
# authentik handles authentication via the ForwardAuth middleware below.
|
|
garage_webui_username: "admin"
|
|
garage_webui_password: "admin"
|
|
|
|
# Optional Authentik ForwardAuth in front of the WebUI. When true:
|
|
# - the AUTH_USER_PASS env-var is dropped from the container so htpasswd
|
|
# isn't enforced; authentik is the only gate.
|
|
# - traefik attaches a ForwardAuth middleware pointing at the URL below.
|
|
# Leave false to keep classic htpasswd protection.
|
|
garage_webui_authentik_forward_auth: false
|
|
garage_webui_authentik_forward_auth_url: ""
|
|
|
|
# Garage ports
|
|
garage_s3_api_port: 3900
|
|
garage_s3_web_port: 3902
|
|
garage_admin_port: 3903
|
|
garage_rpc_port: 3901
|
|
|
|
# Garage configuration
|
|
garage_replication_factor: 1
|
|
garage_compression_level: 1
|
|
garage_db_engine: "lmdb"
|
|
garage_s3_region: "us-east-1"
|
|
garage_rpc_secret: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
|
|
garage_admin_token: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
|
|
garage_metrics_token: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
|
|
|
|
# Traefik configuration
|
|
garage_traefik_network: "proxy"
|
|
garage_internal_network: "internal"
|
|
garage_use_ssl: true
|
|
|
|
# Optional: Garage cluster bootstrap configuration
|
|
garage_bootstrap_enabled: false
|
|
garage_bootstrap_zone: "dc1"
|
|
garage_bootstrap_capacity: "1G"
|
|
|
|
# Optional: S3 keys to create
|
|
# Example:
|
|
# garage_s3_keys:
|
|
# - name: "my-key"
|
|
# buckets:
|
|
# - name: "my-bucket"
|
|
# permissions: ["read", "write"]
|
|
garage_s3_keys: [] |