From 84c4f0c242cec0ff5cabfacbc274b3db47554422 Mon Sep 17 00:00:00 2001 From: Bray Date: Tue, 7 Apr 2026 19:46:24 -0400 Subject: [PATCH] chore: migrate from authelia -> authentik --- .gitignore | 3 +- master/Caddyfile | 13 +- master/docker-compose.yml | 316 +++++++++++++++++++++-------------- passwords/docker-compose.yml | 1 + 4 files changed, 201 insertions(+), 132 deletions(-) diff --git a/.gitignore b/.gitignore index 830131c..d4359ff 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,5 @@ **/postgres-data/ **/redis-data/ **/data/ -**/komodo/ \ No newline at end of file +**/komodo/ +**/authelia \ No newline at end of file diff --git a/master/Caddyfile b/master/Caddyfile index c576860..dc9453d 100644 --- a/master/Caddyfile +++ b/master/Caddyfile @@ -12,8 +12,6 @@ } # --- PUBLIC PRODUCTION (.ca) --- -# Cloudflare DNS points these to your Public IP (136.112.149.254) -# Caddy will automatically get REAL Let's Encrypt certificates. auth.corebot.ca { reverse_proxy authelia:9091 { @@ -27,17 +25,19 @@ git.corebot.ca { reverse_proxy 100.98.158.31:3000 { header_up Host {host} header_up X-Real-IP {remote_host} + header_up X-Forwarded-Proto {scheme} } } core.corebot.ca { - import authelia_auth - reverse_proxy 100.80.179.128:9120 + reverse_proxy komodo-core:9120 { + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-Proto {scheme} + } } vault.corebot.ca { - # Vaultwarden usually handles its own OIDC/SSO, but you can - # add a layer of Authelia here for double-security. import authelia_auth reverse_proxy 100.120.171.124:8081 { header_up Host {host} @@ -57,7 +57,6 @@ privacy.corebot.ca { } # --- INTERNAL LAB (.io) --- -# Managed by Pi-hole, only accessible via Tailscale/Internal Network. main.bray.io { tls internal diff --git a/master/docker-compose.yml b/master/docker-compose.yml index 0df5630..b88be2c 100644 --- a/master/docker-compose.yml +++ b/master/docker-compose.yml @@ -1,134 +1,202 @@ -services: - komodo-core: - image: ghcr.io/moghtech/komodo-core:2 - container_name: komodo-core - restart: always - ports: - - "9120:9120" - environment: - - KOMODO_DATABASE_USERNAME=${DB_ROOT_USER} - - KOMODO_DATABASE_PASSWORD=${DB_ROOT_PASS} - # Path updated to include the database name and the admin auth source - - KOMODO_DATABASE_ADDRESS=${DB_VM_IP}:27017/komodo?authSource=admin - - KOMODO_LOCAL_AUTH=true - - KOMODO_INIT_ADMIN_USERNAME=${KOMODO_USER} - - KOMODO_INIT_ADMIN_PASSWORD=${KOMODO_PASS} - - KOMODO_HOST=https://core.corebot.ca - volumes: - - ./komodo:/config - - /var/run/docker.sock:/var/run/docker.sock - networks: - - monitor-net + services: + komodo-core: + image: ghcr.io/moghtech/komodo-core:2 + container_name: komodo-core + restart: always + ports: + - "9120:9120" + environment: + - KOMODO_DATABASE_USERNAME=${DB_ROOT_USER} + - KOMODO_DATABASE_PASSWORD=${DB_ROOT_PASS} + - KOMODO_DATABASE_ADDRESS=${DB_VM_IP}:27017/komodo?authSource=admin + - KOMODO_LOCAL_AUTH=true + - KOMODO_INIT_ADMIN_USERNAME=${KOMODO_USER} + - KOMODO_INIT_ADMIN_PASSWORD=${KOMODO_PASS} + - KOMODO_HOST=https://core.corebot.ca + - KOMODO_OIDC_ENABLED=true + - KOMODO_OIDC_CLIENT_ID=${KOMODO_OIDC_CLIENT_ID} + - KOMODO_OIDC_CLIENT_SECRET=${KOMODO_OIDC_CLIENT_SECRET} + - KOMODO_OIDC_PROVIDER=${KOMODO_OIDC_PROVIDER} + - KOMODO_OIDC_INSECURE=true + - KOMODO_OIDC_REDIRECT_HOST=https://core.corebot.ca + volumes: + - ./komodo:/config + - /var/run/docker.sock:/var/run/docker.sock + # FIX 1: Remove the /etc/ssl/certs mount. + # Mount ONLY your custom CA to the injection point. + - /etc/ssl/certs/ca-certificates.crt:/usr/local/share/ca-certificates/caddy.crt:ro + extra_hosts: + - "auth.corebot.ca:host-gateway" + networks: + - monitor-net - caddy: - image: caddy:latest - container_name: caddy - restart: unless-stopped - ports: - - "80:80" - - "443:443" - volumes: - - ./Caddyfile:/etc/caddy/Caddyfile - - ./legal:/usr/share/caddy/legal - - caddy_data:/data - - caddy_config:/config - networks: - - monitor-net + authentik-server: + image: ghcr.io/goauthentik/server:latest + container_name: authentik-server + command: server + environment: + # Database Connection to VM3 + AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP} + AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD} + AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER} + AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB} + AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS} - komodo-periphery: - image: ghcr.io/moghtech/komodo-periphery:2 - container_name: komodo-periphery - restart: always - environment: - # Use the service name so Docker DNS can find the Core container - PERIPHERY_CORE_ADDRESS: http://komodo-core:9120 - PERIPHERY_CONNECT_AS: Mystic-Master - PERIPHERY_ONBOARDING_KEY: ${MYSTIC_ONBOARD_KEY} - volumes: - # This allows Komodo to manage the containers on THIS Cloud VM - - /var/run/docker.sock:/var/run/docker.sock - networks: - - monitor-net - depends_on: - - komodo-core + AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST} + AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT} + AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD} + AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB} + AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE} + AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} + volumes: + - ./media:/media + - ./custom-templates:/templates + networks: + - monitor-net + ports: + - "9000:9000" - authelia: - image: authelia/authelia:latest - container_name: authelia - restart: always - volumes: - - ./authelia:/config - env_file: .env - environment: - - TZ=America/New_York - - JWT_SECRET=${JWT_SECRET} - - STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY} - - SESSION_SECRET=${SECRET} - - FORGEJO_DB_PASS=${FORGEJO_DB_PASS} - networks: - - monitor-net + authentik-worker: + image: ghcr.io/goauthentik/server:latest + container_name: authentik-worker + command: worker + environment: + AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP} + AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER} + AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB} + AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS} - mystic-home: - image: nginx:alpine - container_name: mystic-home - restart: always - volumes: - - ./html:/usr/share/nginx/html:ro - networks: - - monitor-net + AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST} + AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT} + AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD} + AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB} + AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE} + AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} + AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD} + user: root + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ./media:/media + - ./certs:/certs + - ./custom-templates:/templates + networks: + - monitor-net - prometheus: - image: prom/prometheus:latest - container_name: prometheus - restart: always - volumes: - - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml - - prometheus_data:/prometheus - command: - - '--config.file=/etc/prometheus/prometheus.yml' - - '--storage.tsdb.path=/prometheus' - networks: - - monitor-net + mystic-legal: + image: nginx:alpine + container_name: mystic-legal + restart: always + volumes: + - ./legal/html:/usr/share/nginx/html:ro + networks: + - monitor-net - grafana: - image: grafana/grafana:latest - container_name: grafana - restart: always - environment: - - GF_SERVER_ROOT_URL=https://grafana.bray.io - ports: - - "3001:3000" - volumes: - - grafana_data:/var/lib/grafana - networks: - - monitor-net + npm: + image: 'jc21/nginx-proxy-manager:latest' + container_name: npm + restart: always + ports: + - '80:80' + - '81:81' # This is your new Admin UI + - '443:443' + volumes: + - ./npm/data:/data + - ./npm/letsencrypt:/etc/letsencrypt + networks: + - monitor-net - node-exporter: - image: prom/node-exporter:latest - container_name: node-exporter - restart: always - networks: - - monitor-net + komodo-periphery: + image: ghcr.io/moghtech/komodo-periphery:2 + container_name: komodo-periphery + restart: always + environment: + # Use the service name so Docker DNS can find the Core container + PERIPHERY_CORE_ADDRESS: http://komodo-core:9120 + PERIPHERY_CONNECT_AS: Mystic-Master + PERIPHERY_ONBOARDING_KEY: ${MYSTIC_ONBOARD_KEY} + volumes: + # This allows Komodo to manage the containers on THIS Cloud VM + - /var/run/docker.sock:/var/run/docker.sock + networks: + - monitor-net + depends_on: + - komodo-core - cadvisor: - image: gcr.io/cadvisor/cadvisor:latest - container_name: cadvisor - restart: always - volumes: - - /:/rootfs:ro - - /var/run:/var/run:ro - - /sys:/sys:ro - - /var/lib/docker/:/var/lib/docker:ro - - /dev/disk/:/dev/disk:ro - networks: - - monitor-net + authelia: + image: authelia/authelia:latest + container_name: authelia + restart: always + volumes: + - ./authelia:/config + environment: + - TZ=America/New_York + - JWT_SECRET=${JWT_SECRET} + - STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY} + - SESSION_SECRET=${SECRET} + - ENCRYPT_KEY=${ENCRYPT_KEY} + - FORGEJO_DB_PASS=${FORGEJO_DB_PASS} + networks: + - monitor-net -networks: - monitor-net: - external: true + mystic-home: + image: nginx:alpine + container_name: mystic-home + restart: always + volumes: + - ./html:/usr/share/nginx/html:ro + networks: + - monitor-net -volumes: - caddy_data: - caddy_config: - grafana_data: - prometheus_data: \ No newline at end of file + prometheus: + image: prom/prometheus:latest + container_name: prometheus + restart: always + volumes: + - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml + - prometheus_data:/prometheus + command: + - '--config.file=/etc/prometheus/prometheus.yml' + - '--storage.tsdb.path=/prometheus' + networks: + - monitor-net + + grafana: + image: grafana/grafana:latest + container_name: grafana + restart: always + environment: + - GF_SERVER_ROOT_URL=https://grafana.bray.io + ports: + - "3001:3000" + volumes: + - grafana_data:/var/lib/grafana + networks: + - monitor-net + + node-exporter: + image: prom/node-exporter:latest + container_name: node-exporter + restart: always + networks: + - monitor-net + + cadvisor: + image: gcr.io/cadvisor/cadvisor:latest + container_name: cadvisor + restart: always + volumes: + - /:/rootfs:ro + - /var/run:/var/run:ro + - /sys:/sys:ro + - /var/lib/docker/:/var/lib/docker:ro + - /dev/disk/:/dev/disk:ro + networks: + - monitor-net + + networks: + monitor-net: + external: true + + volumes: + grafana_data: + prometheus_data: diff --git a/passwords/docker-compose.yml b/passwords/docker-compose.yml index ab85f22..dc58419 100644 --- a/passwords/docker-compose.yml +++ b/passwords/docker-compose.yml @@ -7,6 +7,7 @@ services: - "8081:80" environment: - ADMIN_TOKEN=${ADMIN_TOKEN} + - ENABLE_SSO=true - SIGNUPS_ALLOWED=false - DOMAIN=https://vault.corebot.ca - SMTP_HOST=${SMTP_HOST}