CoreBotLabs/infra
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

chore: migrate from authelia -> authentik

Browse source
This commit is contained in:
Bray Delaire 2026-04-07 19:46:24 -04:00
parent d91868197c
commit 84c4f0c242
4 changed files with 201 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -5,3 +5,4 @@
**/redis-data/
**/data/
**/komodo/
**/authelia

13
master/Caddyfile
View file

@ -12,8 +12,6 @@
}
# --- PUBLIC PRODUCTION (.ca) ---
# Cloudflare DNS points these to your Public IP (136.112.149.254)
# Caddy will automatically get REAL Let's Encrypt certificates.
auth.corebot.ca {
reverse_proxy authelia:9091 {
@ -27,17 +25,19 @@ git.corebot.ca {
reverse_proxy 100.98.158.31:3000 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Proto {scheme}
}
}
core.corebot.ca {
import authelia_auth
reverse_proxy 100.80.179.128:9120
reverse_proxy komodo-core:9120 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Proto {scheme}
}
}
vault.corebot.ca {
# Vaultwarden usually handles its own OIDC/SSO, but you can
# add a layer of Authelia here for double-security.
import authelia_auth
reverse_proxy 100.120.171.124:8081 {
header_up Host {host}
@ -57,7 +57,6 @@ privacy.corebot.ca {
}
# --- INTERNAL LAB (.io) ---
# Managed by Pi-hole, only accessible via Tailscale/Internal Network.
main.bray.io {
tls internal

98
master/docker-compose.yml
View file

@ -8,30 +8,100 @@ services:
environment:
- KOMODO_DATABASE_USERNAME=${DB_ROOT_USER}
- KOMODO_DATABASE_PASSWORD=${DB_ROOT_PASS}
# Path updated to include the database name and the admin auth source
- KOMODO_DATABASE_ADDRESS=${DB_VM_IP}:27017/komodo?authSource=admin
- KOMODO_LOCAL_AUTH=true
- KOMODO_INIT_ADMIN_USERNAME=${KOMODO_USER}
- KOMODO_INIT_ADMIN_PASSWORD=${KOMODO_PASS}
- KOMODO_HOST=https://core.corebot.ca
- KOMODO_OIDC_ENABLED=true
- KOMODO_OIDC_CLIENT_ID=${KOMODO_OIDC_CLIENT_ID}
- KOMODO_OIDC_CLIENT_SECRET=${KOMODO_OIDC_CLIENT_SECRET}
- KOMODO_OIDC_PROVIDER=${KOMODO_OIDC_PROVIDER}
- KOMODO_OIDC_INSECURE=true
- KOMODO_OIDC_REDIRECT_HOST=https://core.corebot.ca
volumes:
- ./komodo:/config
- /var/run/docker.sock:/var/run/docker.sock
# FIX 1: Remove the /etc/ssl/certs mount.
# Mount ONLY your custom CA to the injection point.
- /etc/ssl/certs/ca-certificates.crt:/usr/local/share/ca-certificates/caddy.crt:ro
extra_hosts:
- "auth.corebot.ca:host-gateway"
networks:
- monitor-net
caddy:
image: caddy:latest
container_name: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
authentik-server:
image: ghcr.io/goauthentik/server:latest
container_name: authentik-server
command: server
environment:
# Database Connection to VM3
AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP}
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB}
AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT}
AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD}
AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB}
AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./legal:/usr/share/caddy/legal
- caddy_data:/data
- caddy_config:/config
- ./media:/media
- ./custom-templates:/templates
networks:
- monitor-net
ports:
- "9000:9000"
authentik-worker:
image: ghcr.io/goauthentik/server:latest
container_name: authentik-worker
command: worker
environment:
AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP}
AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB}
AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT}
AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD}
AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB}
AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
networks:
- monitor-net
mystic-legal:
image: nginx:alpine
container_name: mystic-legal
restart: always
volumes:
- ./legal/html:/usr/share/nginx/html:ro
networks:
- monitor-net
npm:
image: 'jc21/nginx-proxy-manager:latest'
container_name: npm
restart: always
ports:
- '80:80'
- '81:81' # This is your new Admin UI
- '443:443'
volumes:
- ./npm/data:/data
- ./npm/letsencrypt:/etc/letsencrypt
networks:
- monitor-net
@ -58,12 +128,12 @@ services:
restart: always
volumes:
- ./authelia:/config
env_file: .env
environment:
- TZ=America/New_York
- JWT_SECRET=${JWT_SECRET}
- STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY}
- SESSION_SECRET=${SECRET}
- ENCRYPT_KEY=${ENCRYPT_KEY}
- FORGEJO_DB_PASS=${FORGEJO_DB_PASS}
networks:
- monitor-net
@ -128,7 +198,5 @@ networks:
external: true
volumes:
caddy_data:
caddy_config:
grafana_data:
prometheus_data:

1
passwords/docker-compose.yml
View file

@ -7,6 +7,7 @@ services:
- "8081:80"
environment:
- ADMIN_TOKEN=${ADMIN_TOKEN}
- ENABLE_SSO=true
- SIGNUPS_ALLOWED=false
- DOMAIN=https://vault.corebot.ca
- SMTP_HOST=${SMTP_HOST}