CoreBotLabs/infra
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

chore: migrate from authelia -> authentik

Browse source
This commit is contained in:
Bray Delaire 2026-04-07 19:46:24 -04:00
parent d91868197c
commit 84c4f0c242
4 changed files with 201 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -4,4 +4,5 @@
**/postgres-data/ **/postgres-data/
**/redis-data/ **/redis-data/
**/data/ **/data/
**/komodo/ **/komodo/
**/authelia

13
master/Caddyfile
View file

@ -12,8 +12,6 @@
} }
# --- PUBLIC PRODUCTION (.ca) --- # --- PUBLIC PRODUCTION (.ca) ---
# Cloudflare DNS points these to your Public IP (136.112.149.254)
# Caddy will automatically get REAL Let's Encrypt certificates.
auth.corebot.ca { auth.corebot.ca {
reverse_proxy authelia:9091 { reverse_proxy authelia:9091 {
@ -27,17 +25,19 @@ git.corebot.ca {
reverse_proxy 100.98.158.31:3000 { reverse_proxy 100.98.158.31:3000 {
header_up Host {host} header_up Host {host}
header_up X-Real-IP {remote_host} header_up X-Real-IP {remote_host}
header_up X-Forwarded-Proto {scheme}
} }
} }
core.corebot.ca { core.corebot.ca {
import authelia_auth reverse_proxy komodo-core:9120 {
reverse_proxy 100.80.179.128:9120 header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Proto {scheme}
}
} }
vault.corebot.ca { vault.corebot.ca {
# Vaultwarden usually handles its own OIDC/SSO, but you can
# add a layer of Authelia here for double-security.
import authelia_auth import authelia_auth
reverse_proxy 100.120.171.124:8081 { reverse_proxy 100.120.171.124:8081 {
header_up Host {host} header_up Host {host}
@ -57,7 +57,6 @@ privacy.corebot.ca {
} }
# --- INTERNAL LAB (.io) --- # --- INTERNAL LAB (.io) ---
# Managed by Pi-hole, only accessible via Tailscale/Internal Network.
main.bray.io { main.bray.io {
tls internal tls internal

316
master/docker-compose.yml
View file

@ -1,134 +1,202 @@
services: services:
komodo-core: komodo-core:
image: ghcr.io/moghtech/komodo-core:2 image: ghcr.io/moghtech/komodo-core:2
container_name: komodo-core container_name: komodo-core
restart: always restart: always
ports: ports:
- "9120:9120" - "9120:9120"
environment: environment:
- KOMODO_DATABASE_USERNAME=${DB_ROOT_USER} - KOMODO_DATABASE_USERNAME=${DB_ROOT_USER}
- KOMODO_DATABASE_PASSWORD=${DB_ROOT_PASS} - KOMODO_DATABASE_PASSWORD=${DB_ROOT_PASS}
# Path updated to include the database name and the admin auth source - KOMODO_DATABASE_ADDRESS=${DB_VM_IP}:27017/komodo?authSource=admin
- KOMODO_DATABASE_ADDRESS=${DB_VM_IP}:27017/komodo?authSource=admin - KOMODO_LOCAL_AUTH=true
- KOMODO_LOCAL_AUTH=true - KOMODO_INIT_ADMIN_USERNAME=${KOMODO_USER}
- KOMODO_INIT_ADMIN_USERNAME=${KOMODO_USER} - KOMODO_INIT_ADMIN_PASSWORD=${KOMODO_PASS}
- KOMODO_INIT_ADMIN_PASSWORD=${KOMODO_PASS} - KOMODO_HOST=https://core.corebot.ca
- KOMODO_HOST=https://core.corebot.ca - KOMODO_OIDC_ENABLED=true
volumes: - KOMODO_OIDC_CLIENT_ID=${KOMODO_OIDC_CLIENT_ID}
- ./komodo:/config - KOMODO_OIDC_CLIENT_SECRET=${KOMODO_OIDC_CLIENT_SECRET}
- /var/run/docker.sock:/var/run/docker.sock - KOMODO_OIDC_PROVIDER=${KOMODO_OIDC_PROVIDER}
networks: - KOMODO_OIDC_INSECURE=true
- monitor-net - KOMODO_OIDC_REDIRECT_HOST=https://core.corebot.ca
volumes:
- ./komodo:/config
- /var/run/docker.sock:/var/run/docker.sock
# FIX 1: Remove the /etc/ssl/certs mount.
# Mount ONLY your custom CA to the injection point.
- /etc/ssl/certs/ca-certificates.crt:/usr/local/share/ca-certificates/caddy.crt:ro
extra_hosts:
- "auth.corebot.ca:host-gateway"
networks:
- monitor-net
caddy: authentik-server:
image: caddy:latest image: ghcr.io/goauthentik/server:latest
container_name: caddy container_name: authentik-server
restart: unless-stopped command: server
ports: environment:
- "80:80" # Database Connection to VM3
- "443:443" AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP}
volumes: AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
- ./Caddyfile:/etc/caddy/Caddyfile AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
- ./legal:/usr/share/caddy/legal AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB}
- caddy_data:/data AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
- caddy_config:/config
networks:
- monitor-net
komodo-periphery: AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
image: ghcr.io/moghtech/komodo-periphery:2 AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT}
container_name: komodo-periphery AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD}
restart: always AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB}
environment: AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE}
# Use the service name so Docker DNS can find the Core container AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
PERIPHERY_CORE_ADDRESS: http://komodo-core:9120 volumes:
PERIPHERY_CONNECT_AS: Mystic-Master - ./media:/media
PERIPHERY_ONBOARDING_KEY: ${MYSTIC_ONBOARD_KEY} - ./custom-templates:/templates
volumes: networks:
# This allows Komodo to manage the containers on THIS Cloud VM - monitor-net
- /var/run/docker.sock:/var/run/docker.sock ports:
networks: - "9000:9000"
- monitor-net
depends_on:
- komodo-core
authelia: authentik-worker:
image: authelia/authelia:latest image: ghcr.io/goauthentik/server:latest
container_name: authelia container_name: authentik-worker
restart: always command: worker
volumes: environment:
- ./authelia:/config AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP}
env_file: .env AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
environment: AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB}
- TZ=America/New_York AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
- JWT_SECRET=${JWT_SECRET}
- STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY}
- SESSION_SECRET=${SECRET}
- FORGEJO_DB_PASS=${FORGEJO_DB_PASS}
networks:
- monitor-net
mystic-home: AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
image: nginx:alpine AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT}
container_name: mystic-home AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD}
restart: always AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB}
volumes: AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE}
- ./html:/usr/share/nginx/html:ro AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
networks: AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
- monitor-net user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
networks:
- monitor-net
prometheus: mystic-legal:
image: prom/prometheus:latest image: nginx:alpine
container_name: prometheus container_name: mystic-legal
restart: always restart: always
volumes: volumes:
- ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml - ./legal/html:/usr/share/nginx/html:ro
- prometheus_data:/prometheus networks:
command: - monitor-net
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.path=/prometheus'
networks:
- monitor-net
grafana: npm:
image: grafana/grafana:latest image: 'jc21/nginx-proxy-manager:latest'
container_name: grafana container_name: npm
restart: always restart: always
environment: ports:
- GF_SERVER_ROOT_URL=https://grafana.bray.io - '80:80'
ports: - '81:81' # This is your new Admin UI
- "3001:3000" - '443:443'
volumes: volumes:
- grafana_data:/var/lib/grafana - ./npm/data:/data
networks: - ./npm/letsencrypt:/etc/letsencrypt
- monitor-net networks:
- monitor-net
node-exporter: komodo-periphery:
image: prom/node-exporter:latest image: ghcr.io/moghtech/komodo-periphery:2
container_name: node-exporter container_name: komodo-periphery
restart: always restart: always
networks: environment:
- monitor-net # Use the service name so Docker DNS can find the Core container
PERIPHERY_CORE_ADDRESS: http://komodo-core:9120
PERIPHERY_CONNECT_AS: Mystic-Master
PERIPHERY_ONBOARDING_KEY: ${MYSTIC_ONBOARD_KEY}
volumes:
# This allows Komodo to manage the containers on THIS Cloud VM
- /var/run/docker.sock:/var/run/docker.sock
networks:
- monitor-net
depends_on:
- komodo-core
cadvisor: authelia:
image: gcr.io/cadvisor/cadvisor:latest image: authelia/authelia:latest
container_name: cadvisor container_name: authelia
restart: always restart: always
volumes: volumes:
- /:/rootfs:ro - ./authelia:/config
- /var/run:/var/run:ro environment:
- /sys:/sys:ro - TZ=America/New_York
- /var/lib/docker/:/var/lib/docker:ro - JWT_SECRET=${JWT_SECRET}
- /dev/disk/:/dev/disk:ro - STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY}
networks: - SESSION_SECRET=${SECRET}
- monitor-net - ENCRYPT_KEY=${ENCRYPT_KEY}
- FORGEJO_DB_PASS=${FORGEJO_DB_PASS}
networks:
- monitor-net
networks: mystic-home:
monitor-net: image: nginx:alpine
external: true container_name: mystic-home
restart: always
volumes:
- ./html:/usr/share/nginx/html:ro
networks:
- monitor-net
volumes: prometheus:
caddy_data: image: prom/prometheus:latest
caddy_config: container_name: prometheus
grafana_data: restart: always
prometheus_data: volumes:
- ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
- prometheus_data:/prometheus
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.path=/prometheus'
networks:
- monitor-net
grafana:
image: grafana/grafana:latest
container_name: grafana
restart: always
environment:
- GF_SERVER_ROOT_URL=https://grafana.bray.io
ports:
- "3001:3000"
volumes:
- grafana_data:/var/lib/grafana
networks:
- monitor-net
node-exporter:
image: prom/node-exporter:latest
container_name: node-exporter
restart: always
networks:
- monitor-net
cadvisor:
image: gcr.io/cadvisor/cadvisor:latest
container_name: cadvisor
restart: always
volumes:
- /:/rootfs:ro
- /var/run:/var/run:ro
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
- /dev/disk/:/dev/disk:ro
networks:
- monitor-net
networks:
monitor-net:
external: true
volumes:
grafana_data:
prometheus_data:

1
passwords/docker-compose.yml
View file

@ -7,6 +7,7 @@ services:
- "8081:80" - "8081:80"
environment: environment:
- ADMIN_TOKEN=${ADMIN_TOKEN} - ADMIN_TOKEN=${ADMIN_TOKEN}
- ENABLE_SSO=true
- SIGNUPS_ALLOWED=false - SIGNUPS_ALLOWED=false
- DOMAIN=https://vault.corebot.ca - DOMAIN=https://vault.corebot.ca
- SMTP_HOST=${SMTP_HOST} - SMTP_HOST=${SMTP_HOST}