Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions
digitalboard.core/roles/authentik/templates/docker-compose.yml.j2
Simon Bärlocher 6411f94cce
feat(authentik): split-horizon host rewrite + proxy-app mode/group bindings 
* `authentik_host_rewrite_domains`: extra hostnames that reach the
  authentik container but make it generate URLs (OIDC issuer, reset
  links) as if requested from the canonical `authentik_domains[0]`.
  Each entry gets its own traefik router and a URL-based loadbalancer
  service that disables passHostHeader and pins X-Forwarded-Host via
  middleware, so server-to-server calls on internal FQDNs keep traffic
  in the LAN while the iss claim stays aligned with the public host.
  Uses a network alias on the canonical FQDN so traefik (sharing the
  network) resolves the URL upstream to this very container.

* proxy-app blueprint:
  - `mode` (default `forward_single`) lets callers pick between proxy,
    forward_single and forward_domain providers in one template.
  - `allowed_groups`: when set, emit one PolicyBinding per group on
    the application; authentik OR-evaluates bindings, so users in any
    listed group pass and others are denied.

Existing inventories with an empty list see no behavioural change.
2026-05-27 23:12:23 +02:00

125 lines
5.9 KiB
Django/Jinja
Raw Blame History

services:
postgres:
image: {{ authentik_postgres_image }}
restart: unless-stopped
environment:
POSTGRES_DB: {{ authentik_postgres_db }}
POSTGRES_USER: {{ authentik_postgres_user }}
POSTGRES_PASSWORD: {{ authentik_postgres_password }}
volumes:
- {{ authentik_docker_volume_dir }}/postgresql:/var/lib/postgresql/data
networks:
- {{ authentik_backend_network }}
healthcheck:
test: ["CMD-SHELL", "pg_isready -d {{ authentik_postgres_db }} -U {{ authentik_postgres_user }}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
server:
image: {{ authentik_image }}
restart: unless-stopped
command: server
healthcheck:
test: ["CMD", "ak", "healthcheck"]
start_period: 30s
interval: 10s
retries: 5
timeout: 5s
environment:
AUTHENTIK_SECRET_KEY: {{ authentik_secret_key }}
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_postgres_db }}
AUTHENTIK_POSTGRESQL__USER: {{ authentik_postgres_user }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }}
AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }}
AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}"
volumes:
- {{ authentik_docker_volume_dir }}/blueprints:/blueprints/custom
- {{ authentik_docker_volume_dir }}/data:/data
- {{ authentik_docker_volume_dir }}/templates:/templates
depends_on:
postgres:
condition: service_healthy
networks:
{{ authentik_backend_network }}: {}
# Network alias so traefik (which shares this network) can resolve
# the canonical FQDN to this container directly. The URL-based
# service below uses that to send upstream traffic with a fixed
# Host header equal to the canonical hostname.
{{ authentik_traefik_network }}:
aliases:
- {{ authentik_domains[0] }}
labels:
- traefik.enable=true
- traefik.docker.network={{ authentik_traefik_network }}
- traefik.http.routers.{{ authentik_service_name }}.rule={% for d in authentik_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%}
- traefik.http.routers.{{ authentik_service_name }}.service={{ authentik_service_name }}
{% if authentik_use_ssl %}
- traefik.http.routers.{{ authentik_service_name }}.entrypoints=websecure
- traefik.http.routers.{{ authentik_service_name }}.tls=true
{% if traefik_cert_mode | default('selfsigned') == 'acme' %}
- traefik.http.routers.{{ authentik_service_name }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }}
{% endif %}
{% else %}
- traefik.http.routers.{{ authentik_service_name }}.entrypoints=web
{% endif %}
- traefik.http.services.{{ authentik_service_name }}.loadbalancer.server.port={{ authentik_port }}
{% if authentik_host_rewrite_domains | length > 0 %}
# Server-to-server entry: a separate service points at this very
# container by the canonical FQDN (resolved via the network alias
# above) and disables passHostHeader so the upstream Host header
# becomes `{{ authentik_domains[0] }}`. Authentik builds OIDC issuer
# URLs from X-Forwarded-Host (not Host), so we also pin that header
# via middleware. Together this keeps the iss claim aligned with
# the public hostname browsers see during login, even when the
# request itself arrived on an internal *.int.* FQDN.
- traefik.http.services.{{ authentik_service_name }}-rewrite.loadbalancer.server.url=http://{{ authentik_domains[0] }}:{{ authentik_port }}
- traefik.http.services.{{ authentik_service_name }}-rewrite.loadbalancer.passhostheader=false
- traefik.http.middlewares.{{ authentik_service_name }}-xfh-rewrite.headers.customrequestheaders.X-Forwarded-Host={{ authentik_domains[0] }}
{% for d in authentik_host_rewrite_domains %}
- traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.rule=Host(`{{ d }}`)
- traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.priority=100
- traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.service={{ authentik_service_name }}-rewrite
- traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.middlewares={{ authentik_service_name }}-xfh-rewrite
{% if authentik_use_ssl %}
- traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.entrypoints=websecure
- traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.tls=true
{% if traefik_cert_mode | default('selfsigned') == 'acme' %}
- traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }}
{% endif %}
{% else %}
- traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.entrypoints=web
{% endif %}
{% endfor %}
{% endif %}
worker:
image: {{ authentik_image }}
restart: unless-stopped
command: worker
user: root
environment:
AUTHENTIK_SECRET_KEY: {{ authentik_secret_key }}
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_postgres_db }}
AUTHENTIK_POSTGRESQL__USER: {{ authentik_postgres_user }}
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }}
AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }}
AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}"
volumes:
- {{ authentik_docker_volume_dir }}/data:/data
- {{ authentik_docker_volume_dir }}/certs:/certs
- {{ authentik_docker_volume_dir }}/templates:/templates
- {{ authentik_docker_volume_dir }}/blueprints:/blueprints/custom
depends_on:
postgres:
condition: service_healthy
networks:
- {{ authentik_backend_network }}
networks:
{{ authentik_backend_network }}:
{{ authentik_traefik_network }}:
external: true
View git blame Copy permalink