Dogfooding it, Pt 7

2024-06-14 16:13:10 +00:00 · 2024-06-14 16:13:10 +00:00 · 6e0ab38fb4
commit 6e0ab38fb4
parent d1fd57a034
7 changed files with 115 additions and 192 deletions
--- a/docker-compose-homelab.yaml
+++ b/docker-compose-homelab.yaml
@ -20,9 +20,15 @@ secrets:
    file: /home/andreas/secrets/postgres-root
  gitea:
    file: /home/andreas/secrets/gitea
+  authentik-postgres:
+    file: /home/andreas/secrets/authentik-postgres
+  authentik-secret:
+    file: /home/andreas/secrets/authentik-secret

 configs:
  ghost-config:
    file: /home/andreas/configs/config.production.json
  traefik-config:
    file: /home/andreas/configs/traefik.toml
+
+services:
--- a/authentik.yaml
+++ b/authentik.yaml
@ -0,0 +1,70 @@
+  authentik-server:
+    command: server
+    depends_on:
+      - postgres
+      - redis
+    deploy:
+      labels:
+        traefik.enable: "true"
+        traefik.http.routers.authentik-rtr.rule: 'Host(`authentik.turriff.net`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.turriff.net`) && PathPrefix(`/outpost.goauthentik.io/`)'
+        traefik.http.routers.authentik-rtr.service: "authentik"
+        traefik.http.services.authentik.loadbalancer.server.port: "9000"
+        traefik.http.middlewares.authentik.forwardauth.address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
+        traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: "true"
+        traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
+      replicas: 1
+    environment:
+      AUTHENTIK_POSTGRESQL__HOST: "postgres"
+      AUTHENTIK_POSTGRESQL__NAME: "authentik"
+      AUTHENTIK_POSTGRESQL__USER: "authentik"
+      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/authentik-postgres"
+      AUTHENTIK_REDIS__HOST: "valkey"
+      AUTHENTIK_SECRET_KEY: "file:///run/secrets/authentik-secret"
+      AUTHENTIK_EMAIL__HOST: "munin.turriff.net"
+      AUTHENTIK_EMAIL__FROM: "authentik@turriff.net"
+    hostname: "authentik-server"
+    image: "ghcr.io/goauthentik/server:2024.4"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+      - homelab-bridge
+    restart: on-failure
+    secrets:
+      - authentik-postgres
+      - authentik-secret
+    user: "10008:10008"
+    volumes:
+      - "/srv/data/docker/authentik/media:/media"
+      - "/srv/data/docker/authentik/custom-templates:/templates"
+
+  authentik-worker:
+    command: worker
+    depends_on:
+      - postgres
+      - redis
+    deploy:
+      replicas: 1
+    environment:
+      AUTHENTIK_POSTGRESQL__HOST: "postgres"
+      AUTHENTIK_POSTGRESQL__NAME: "authentik"
+      AUTHENTIK_POSTGRESQL__USER: "authentik"
+      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/authentik-postgres"
+      AUTHENTIK_REDIS__HOST: "valkey"
+      AUTHENTIK_SECRET_KEY: "file:///run/secrets/authentik-secret"
+      AUTHENTIK_EMAIL__HOST: "munin.turriff.net"
+      AUTHENTIK_EMAIL__FROM: "authentik@turriff.net"
+    image: "ghcr.io/goauthentik/server:2024.4"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+    restart: on-failure
+    secrets:
+      - authentik-postgres
+      - authentik-secret
+    user: "10008:10008"
+    volumes:
+      - "/srv/data/docker/authentik/media:/media"
+      - "/srv/data/docker/authentik/certs:/certs"
+      - "/srv/data/docker/authentik/custom-templates:/templates"
--- a/docker-compose-homelab-combined.yaml
+++ b/docker-compose-homelab-combined.yaml
@ -1,187 +0,0 @@
-networks:
-  homelab:
-    driver: overlay
-    ipam:
-      config:
-        - subnet: 10.64.0.0/16
-    internal: true
-  homelab-bridge:
-    driver: overlay
-    ipam:
-      config:
-        - subnet: 10.96.0.0/16
-
-secrets:
-  percona-root:
-    file: /home/andreas/secrets/percona-root
-  ghost:
-    file: /home/andreas/secrets/ghost
-  postgres-root:
-    file: /home/andreas/secrets/postgres-root
-  gitea:
-    file: /home/andreas/secrets/gitea
-
-configs:
-  ghost-config:
-    file: /home/andreas/configs/config.production.json
-  traefik-config:
-    file: /home/andreas/configs/traefik.toml
-services:
-  traefik:
-    configs:
-      - source: traefik-config
-        target: /etc/traefik/traefik.toml
-    deploy:
-      labels:
-        traefik.enable: "true"
-        traefik.http.routers.traefik-rtr.entrypoints: "websecure"
-        traefik.http.routers.traefik-rtr.middlewares: "traefik-allowlist@file"
-        traefik.http.routers.traefik-rtr.rule: "Host(`traefik.turriff.net`)"
-        traefik.http.routers.traefik-rtr.service: "api@internal"
-        traefik.http.services.dummy-svc.loadbalancer.server.port: "9999"
-      replicas: 1
-    healthcheck:
-      test: ["CMD","traefik","healthcheck"]
-      interval: 30s
-      timeout: 10s
-    image: "traefik:3.0"
-    logging:
-      driver: journald
-    networks:
-      - homelab
-      - homelab-bridge
-    ports:
-      - "80:10080"
-      - "443:10443"
-      - "10022:10022"
-    restart: on-failure
-    volumes:
-      - "/srv/data/docker/traefik/rules:/rules:ro"
-      - "/srv/data/docker/traefik/acme:/acme:rw"
-      - "/srv/data/docker/traefik/logs:/logs:rw"
-      - "/run/docker.sock:/run/docker.sock:ro"
-  percona:
-    deploy:
-      replicas: 1
-    environment:
-      MYSQL_ROOT_PASSWORD_FILE: "/run/secrets/percona-root"
-      PERCONA_TELEMETRY_DISABLE: 1
-    image: "percona:ps-8"
-    logging:
-      driver: journald
-    networks:
-      - homelab
-    restart: on-failure
-    secrets:
-      - percona-root
-      - ghost
-    volumes:
-      - "/srv/data/docker/percona/data:/var/lib/mysql:rw"
-  ghost:
-    configs:
-      - source: ghost-config
-        target: /var/lib/ghost/config.production.json
-    deploy:
-      replicas: 1
-      labels:
-        traefik.enable: "true"
-        traefik.http.routers.ghost-rtr.entrypoints: "websecure"
-        traefik.http.routers.ghost-rtr.rule: "Host(`ghost.turriff.net`)"
-        traefik.http.routers.ghost-rtr.service: "ghost"
-        traefik.http.services.ghost.loadbalancer.server.port: "2368"
-    image: "ghost:5"
-    logging:
-      driver: journald
-    networks:
-      - homelab
-    restart: on-failure
-    volumes:
-      - "/srv/data/docker/ghost/data:/var/lib/ghost/content:rw"
-  navidrome:
-    deploy:
-      replicas: 1
-    environment:
-      ND_BASEURL: "https://media.turriff.net"
-      ND_ENABLE_EXTERNAL_SERVICES: "false"
-    image: "deluan/navidrome:latest"
-    labels:
-      traefik.enable: "true"
-      traefik.http.routers.navidrome-rtr.entrypoint: websecure
-      traefik.http.routers.navidrome-rtr.rule: "Host(`media.turriff.net`)"
-      traefik.http.routers.navidrome-rtr.service: "navidrome"
-      traefix.http.services.navidrome.loadbalancer.server.port: "4533"
-    logging:
-      driver: journald
-    networks:
-      - homelab
-    restart: unless-stopped 
-    user: "10002:10002"
-    volumes:
-      - "/srv/data/docker/navidrome/data:/data"
-      - "/srv/data/shared/media/music:/music:ro"
-  postgres:
-    deploy:
-      replicas: 1
-    environment:
-      POSTGRES_PASSWORD_FILE: "/run/secrets/postgres-root"
-    hostname: "postgres"
-    image: "postgres:16"
-    logging:
-      driver: journald
-    networks:
-      - homelab
-    restart: on-failure
-    secrets:
-      - postgres-root
-      - gitea
-    shm_size: 128mb
-    user: "10003:10003"
-    volumes:
-      - "/srv/data/docker/postgres/data:/var/lib/postgresql/data:rw"
-      - type: tmpfs
-        target: "/var/run/postgresql"
-  gitea:
-    depends_on:
-      - postgres
-    deploy:
-      labels:
-        traefik.enable: "true"
-        traefik.http.routers.gitea-http-rtr.entrypoints: websecure
-        traefik.http.routers.gitea-http-rtr.rule: "Host(`gitea.turriff.net`)"
-        traefik.http.routers.gitea-http-rtr.service: "gitea"
-        traefik.http.services.gitea.loadbalancer.server.port: "3000"
-        traefik.tcp.routers.gitea-ssh-rtr.entrypoints: ssh
-        traefik.tcp.routers.gitea-ssh-rtr.rule: "Host(`gitea.turriff.net`)"
-        traefik.tcp.routers.gitea-ssh-rtr.service: "gitea-ssh"
-        traefik.tcp.services.gitea-ssh.loadbalancer.server.port: "2222"
-      replicas: 1
-    environment:
-      GITEA__database__DB_TYPE: "postgres"
-      GITEA__database__HOST: "postgres"
-      GITEA__database__NAME: "gitea"
-      GITEA__database__USER: "gitea"
-      GITEA__database__PASSWORD__FILE: "/run/secrets/gitea"
-      GITEA__mailer__ENABLED: "true"
-      GITEA__mailer__FROM: "gitea@turriff.net"
-      GITEA__mailer__PROTOCOL: "smtp+starttls"
-      GITEA__mailer__SMTP_ADDR: "munin.turriff.net"
-      GITEA__mailer__SMTP_PORT: "25"
-      GITEA__server__ROOT_URL: "https://gitea.turriff.net"
-      GITEA__cors__ENABLED: "true"
-      GITEA__cors__ALLOW_DOMAIN: "https://*.turriff.net"
-      GITEA__server__USE_PROXY_PROTOCOL: "true"
-      GITEA__server__DOMAIN: "gitea.turriff.net"
-      GITEA__server__SSH_SERVER_USE_PROXY_PROTOCOL: "true"
-    image: "gitea/gitea:1-rootless"
-    logging:
-      driver: journald
-    networks:
-      - homelab
-      - homelab-bridge
-    restart: on-failure
-    secrets:
-      - gitea
-    user: "10004:10004"
-    volumes:
-      - "/srv/data/docker/gitea/data:/var/lib/gitea:rw"
-      - "/srv/data/docker/gitea/config:/etc/gitea:rw"
--- a/gitea.yaml
+++ b/gitea.yaml
@ -9,7 +9,7 @@
        traefik.http.routers.gitea-http-rtr.service: "gitea"
        traefik.http.services.gitea.loadbalancer.server.port: "3000"
        traefik.tcp.routers.gitea-ssh-rtr.entrypoints: ssh
-        traefik.tcp.routers.gitea-ssh-rtr.rule: "Host(`gitea.turriff.net`)"
+        traefik.tcp.routers.gitea-ssh-rtr.rule: "HostSNI(`gitea.turriff.net`)"
        traefik.tcp.routers.gitea-ssh-rtr.service: "gitea-ssh"
        traefik.tcp.services.gitea-ssh.loadbalancer.server.port: "2222"
      replicas: 1
--- a/postgres.yaml
+++ b/postgres.yaml
@ -3,6 +3,12 @@
      replicas: 1
    environment:
      POSTGRES_PASSWORD_FILE: "/run/secrets/postgres-root"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
    hostname: "postgres"
    image: "postgres:16"
    logging:
@ -13,6 +19,7 @@
    secrets:
      - postgres-root
      - gitea
+      - authentik-postgres
    shm_size: 128mb
    user: "10003:10003"
    volumes:
--- a/traefik.yaml
+++ b/traefik.yaml
@ -1,4 +1,3 @@
-services:
  traefik:
    configs:
      - source: traefik-config
@ -23,9 +22,18 @@ services:
      - homelab
      - homelab-bridge
    ports:
-      - "80:10080"
-      - "443:10443"
-      - "10022:10022"
+      - published: 80
+        target: 10080
+        protocol: "tcp"
+        mode: "host"
+      - published: 443
+        target: 10443
+        protocol: "tcp"
+        mode: "host"
+      - published: 10022
+        target: 10022
+        protocol: "tcp"
+        mode: "host"
    restart: on-failure
    volumes:
      - "/srv/data/docker/traefik/rules:/rules:ro"
--- a/valkey.yaml
+++ b/valkey.yaml
@ -0,0 +1,19 @@
+  valkey:
+    command: "valkey-server --save 30 1"
+    deploy:
+      replicas: 1
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      timeout: 3s
+    hostname: "valkey"
+    image: "valkey/valkey:7.2-alpine"
+    logging:
+      driver: journald
+    networks:
+      - homelab
+    restart: unless-stopped
+    user: "10007:10007"
+    volumes:
+      - "/srv/data/docker/valkey/data:/data"