CoreBotLabs/infra
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

chore: migrate from authelia -> authentik

Browse source
This commit is contained in:
Bray Delaire 2026-04-07 19:46:24 -04:00
parent d91868197c
commit 84c4f0c242
4 changed files with 201 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -5,3 +5,4 @@
**/redis-data/ **/redis-data/
**/data/ **/data/
**/komodo/ **/komodo/
**/authelia

13
master/Caddyfile
View file

@ -12,8 +12,6 @@
} }
# --- PUBLIC PRODUCTION (.ca) --- # --- PUBLIC PRODUCTION (.ca) ---
# Cloudflare DNS points these to your Public IP (136.112.149.254)
# Caddy will automatically get REAL Let's Encrypt certificates.
auth.corebot.ca { auth.corebot.ca {
reverse_proxy authelia:9091 { reverse_proxy authelia:9091 {
@ -27,17 +25,19 @@ git.corebot.ca {
reverse_proxy 100.98.158.31:3000 { reverse_proxy 100.98.158.31:3000 {
header_up Host {host} header_up Host {host}
header_up X-Real-IP {remote_host} header_up X-Real-IP {remote_host}
header_up X-Forwarded-Proto {scheme}
} }
} }
core.corebot.ca { core.corebot.ca {
import authelia_auth reverse_proxy komodo-core:9120 {
reverse_proxy 100.80.179.128:9120 header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Proto {scheme}
}
} }
vault.corebot.ca { vault.corebot.ca {
# Vaultwarden usually handles its own OIDC/SSO, but you can
# add a layer of Authelia here for double-security.
import authelia_auth import authelia_auth
reverse_proxy 100.120.171.124:8081 { reverse_proxy 100.120.171.124:8081 {
header_up Host {host} header_up Host {host}
@ -57,7 +57,6 @@ privacy.corebot.ca {
} }
# --- INTERNAL LAB (.io) --- # --- INTERNAL LAB (.io) ---
# Managed by Pi-hole, only accessible via Tailscale/Internal Network.
main.bray.io { main.bray.io {
tls internal tls internal

104
master/docker-compose.yml
View file

@ -1,4 +1,4 @@
services: services:
komodo-core: komodo-core:
image: ghcr.io/moghtech/komodo-core:2 image: ghcr.io/moghtech/komodo-core:2
container_name: komodo-core container_name: komodo-core
@ -8,30 +8,100 @@ services:
environment: environment:
- KOMODO_DATABASE_USERNAME=${DB_ROOT_USER} - KOMODO_DATABASE_USERNAME=${DB_ROOT_USER}
- KOMODO_DATABASE_PASSWORD=${DB_ROOT_PASS} - KOMODO_DATABASE_PASSWORD=${DB_ROOT_PASS}
# Path updated to include the database name and the admin auth source
- KOMODO_DATABASE_ADDRESS=${DB_VM_IP}:27017/komodo?authSource=admin - KOMODO_DATABASE_ADDRESS=${DB_VM_IP}:27017/komodo?authSource=admin
- KOMODO_LOCAL_AUTH=true - KOMODO_LOCAL_AUTH=true
- KOMODO_INIT_ADMIN_USERNAME=${KOMODO_USER} - KOMODO_INIT_ADMIN_USERNAME=${KOMODO_USER}
- KOMODO_INIT_ADMIN_PASSWORD=${KOMODO_PASS} - KOMODO_INIT_ADMIN_PASSWORD=${KOMODO_PASS}
- KOMODO_HOST=https://core.corebot.ca - KOMODO_HOST=https://core.corebot.ca
- KOMODO_OIDC_ENABLED=true
- KOMODO_OIDC_CLIENT_ID=${KOMODO_OIDC_CLIENT_ID}
- KOMODO_OIDC_CLIENT_SECRET=${KOMODO_OIDC_CLIENT_SECRET}
- KOMODO_OIDC_PROVIDER=${KOMODO_OIDC_PROVIDER}
- KOMODO_OIDC_INSECURE=true
- KOMODO_OIDC_REDIRECT_HOST=https://core.corebot.ca
volumes: volumes:
- ./komodo:/config - ./komodo:/config
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
# FIX 1: Remove the /etc/ssl/certs mount.
# Mount ONLY your custom CA to the injection point.
- /etc/ssl/certs/ca-certificates.crt:/usr/local/share/ca-certificates/caddy.crt:ro
extra_hosts:
- "auth.corebot.ca:host-gateway"
networks: networks:
- monitor-net - monitor-net
caddy: authentik-server:
image: caddy:latest image: ghcr.io/goauthentik/server:latest
container_name: caddy container_name: authentik-server
restart: unless-stopped command: server
ports: environment:
- "80:80" # Database Connection to VM3
- "443:443" AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP}
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB}
AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT}
AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD}
AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB}
AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
volumes: volumes:
- ./Caddyfile:/etc/caddy/Caddyfile - ./media:/media
- ./legal:/usr/share/caddy/legal - ./custom-templates:/templates
- caddy_data:/data networks:
- caddy_config:/config - monitor-net
ports:
- "9000:9000"
authentik-worker:
image: ghcr.io/goauthentik/server:latest
container_name: authentik-worker
command: worker
environment:
AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP}
AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB}
AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT}
AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD}
AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB}
AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
networks:
- monitor-net
mystic-legal:
image: nginx:alpine
container_name: mystic-legal
restart: always
volumes:
- ./legal/html:/usr/share/nginx/html:ro
networks:
- monitor-net
npm:
image: 'jc21/nginx-proxy-manager:latest'
container_name: npm
restart: always
ports:
- '80:80'
- '81:81' # This is your new Admin UI
- '443:443'
volumes:
- ./npm/data:/data
- ./npm/letsencrypt:/etc/letsencrypt
networks: networks:
- monitor-net - monitor-net
@ -58,12 +128,12 @@ services:
restart: always restart: always
volumes: volumes:
- ./authelia:/config - ./authelia:/config
env_file: .env
environment: environment:
- TZ=America/New_York - TZ=America/New_York
- JWT_SECRET=${JWT_SECRET} - JWT_SECRET=${JWT_SECRET}
- STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY} - STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY}
- SESSION_SECRET=${SECRET} - SESSION_SECRET=${SECRET}
- ENCRYPT_KEY=${ENCRYPT_KEY}
- FORGEJO_DB_PASS=${FORGEJO_DB_PASS} - FORGEJO_DB_PASS=${FORGEJO_DB_PASS}
networks: networks:
- monitor-net - monitor-net
@ -123,12 +193,10 @@ services:
networks: networks:
- monitor-net - monitor-net
networks: networks:
monitor-net: monitor-net:
external: true external: true
volumes: volumes:
caddy_data:
caddy_config:
grafana_data: grafana_data:
prometheus_data: prometheus_data:

1
passwords/docker-compose.yml
View file

@ -7,6 +7,7 @@ services:
- "8081:80" - "8081:80"
environment: environment:
- ADMIN_TOKEN=${ADMIN_TOKEN} - ADMIN_TOKEN=${ADMIN_TOKEN}
- ENABLE_SSO=true
- SIGNUPS_ALLOWED=false - SIGNUPS_ALLOWED=false
- DOMAIN=https://vault.corebot.ca - DOMAIN=https://vault.corebot.ca
- SMTP_HOST=${SMTP_HOST} - SMTP_HOST=${SMTP_HOST}