c3cf779532
- Refactor: collapse `*_domain` + `*_extra_domains` into a single `*_domains` list across authentik, collabora, garage and nextcloud roles. First entry is the canonical FQDN (used for OVERWRITEHOST, BASE_URL, notify_push setup and garage root_domain). - Authentik blueprint: guard the OAuth sources block so an empty `authentik_login_sources` no longer renders an invalid YAML key. - Nextcloud: introduce `nextcloud_collabora_public_domain` and set Collabora's `public_wopi_url` separately from the server-to-server `wopi_url` so browsers can reach Collabora via the public name while Nextcloud still talks to it on the internal one. - Nextcloud: URL-encode the postgres user/password in DATABASE_URL.
90 lines
3.5 KiB
Django/Jinja
90 lines
3.5 KiB
Django/Jinja
services:
|
|
postgres:
|
|
image: {{ authentik_postgres_image }}
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_DB: {{ authentik_postgres_db }}
|
|
POSTGRES_USER: {{ authentik_postgres_user }}
|
|
POSTGRES_PASSWORD: {{ authentik_postgres_password }}
|
|
volumes:
|
|
- {{ authentik_docker_volume_dir }}/postgresql:/var/lib/postgresql/data
|
|
networks:
|
|
- {{ authentik_backend_network }}
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -d {{ authentik_postgres_db }} -U {{ authentik_postgres_user }}"]
|
|
start_period: 20s
|
|
interval: 30s
|
|
retries: 5
|
|
timeout: 5s
|
|
|
|
server:
|
|
image: {{ authentik_image }}
|
|
restart: unless-stopped
|
|
command: server
|
|
healthcheck:
|
|
test: ["CMD", "ak", "healthcheck"]
|
|
start_period: 30s
|
|
interval: 10s
|
|
retries: 5
|
|
timeout: 5s
|
|
environment:
|
|
AUTHENTIK_SECRET_KEY: {{ authentik_secret_key }}
|
|
AUTHENTIK_POSTGRESQL__HOST: postgres
|
|
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_postgres_db }}
|
|
AUTHENTIK_POSTGRESQL__USER: {{ authentik_postgres_user }}
|
|
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }}
|
|
AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }}
|
|
AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}"
|
|
volumes:
|
|
- {{ authentik_docker_volume_dir }}/blueprints:/blueprints/custom
|
|
- {{ authentik_docker_volume_dir }}/data:/data
|
|
- {{ authentik_docker_volume_dir }}/templates:/templates
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
networks:
|
|
- {{ authentik_backend_network }}
|
|
- {{ authentik_traefik_network }}
|
|
labels:
|
|
- traefik.enable=true
|
|
- traefik.docker.network={{ authentik_traefik_network }}
|
|
- traefik.http.routers.{{ authentik_service_name }}.rule=Host({% for d in authentik_domains %}`{{ d }}`{% if not loop.last %}, {% endif %}{% endfor %})
|
|
{% if authentik_use_ssl %}
|
|
- traefik.http.routers.{{ authentik_service_name }}.entrypoints=websecure
|
|
- traefik.http.routers.{{ authentik_service_name }}.tls=true
|
|
{% if traefik_cert_mode | default('selfsigned') == 'acme' %}
|
|
- traefik.http.routers.{{ authentik_service_name }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }}
|
|
{% endif %}
|
|
{% else %}
|
|
- traefik.http.routers.{{ authentik_service_name }}.entrypoints=web
|
|
{% endif %}
|
|
- traefik.http.services.{{ authentik_service_name }}.loadbalancer.server.port={{ authentik_port }}
|
|
|
|
worker:
|
|
image: {{ authentik_image }}
|
|
restart: unless-stopped
|
|
command: worker
|
|
user: root
|
|
environment:
|
|
AUTHENTIK_SECRET_KEY: {{ authentik_secret_key }}
|
|
AUTHENTIK_POSTGRESQL__HOST: postgres
|
|
AUTHENTIK_POSTGRESQL__NAME: {{ authentik_postgres_db }}
|
|
AUTHENTIK_POSTGRESQL__USER: {{ authentik_postgres_user }}
|
|
AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }}
|
|
AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }}
|
|
AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}"
|
|
volumes:
|
|
- {{ authentik_docker_volume_dir }}/data:/data
|
|
- {{ authentik_docker_volume_dir }}/certs:/certs
|
|
- {{ authentik_docker_volume_dir }}/templates:/templates
|
|
- {{ authentik_docker_volume_dir }}/blueprints:/blueprints/custom
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
networks:
|
|
- {{ authentik_backend_network }}
|
|
|
|
networks:
|
|
{{ authentik_backend_network }}:
|
|
{{ authentik_traefik_network }}:
|
|
external: true
|