nix-config/hosts/franz/arion/auth/arion-compose.nix
2024-11-18 20:39:25 +01:00

131 lines
3.8 KiB
Nix

let
authentikImage = "ghcr.io/goauthentik/server:2024.10.2";
in {
project.name = "auth";
networks.dmz = {
name = "dmz";
external = true;
};
networks.internal = {};
services = {
authentik.service = {
image = authentikImage;
container_name = "authentik";
labels = {
"traefik.enable" = "true";
"traefik.http.services.authentik.loadbalancer.server.port" = "9000";
"traefik.http.routers.authentik.service" = "authentik";
"traefik.http.routers.authentik.rule" = "Host(`auth.ghoscht.com`)";
"traefik.http.routers.authentik.entrypoints" = "websecure";
"traefik.http.routers.authentik.tls" = "true";
"traefik.http.routers.authentik.tls.certresolver" = "letsencrypt";
"traefik.http.services.authentik-external.loadbalancer.server.port" = "9000";
"traefik.http.routers.authentik-external.service" = "authentik-external";
"traefik.http.routers.authentik-external.rule" = "Host(`auth.ghoscht.com`)";
"traefik.http.routers.authentik-external.entrypoints" = "websecure-external";
"traefik.http.routers.authentik-external.tls" = "true";
"traefik.http.routers.authentik-external.tls.certresolver" = "letsencrypt";
"diun.enable" = "true";
"diun.watch_repo" = "true";
"diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
};
command = "server";
environment = {
AUTHENTIK_REDIS__HOST = "redis";
AUTHENTIK_POSTGRESQL__HOST = "postgres";
AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
};
env_file = [
"/home/ghoscht/.docker/auth/authentik.env"
];
restart = "always";
depends_on = {
redis = {condition = "service_healthy";};
postgres = {condition = "service_healthy";};
};
volumes = [
"/home/ghoscht/.docker/auth/authentik_media:/media"
"/home/ghoscht/.docker/auth/authentik_custom_templates:/templates"
];
networks = [
"dmz"
"internal"
];
};
worker.service = {
image = authentikImage;
command = "worker";
environment = {
AUTHENTIK_REDIS__HOST = "redis";
AUTHENTIK_POSTGRESQL__HOST = "postgres";
AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
};
env_file = [
"/home/ghoscht/.docker/auth/authentik.env"
];
depends_on = {
redis = {condition = "service_healthy";};
postgres = {condition = "service_healthy";};
};
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"/home/ghoscht/.docker/auth/authentik_media:/media"
"/home/ghoscht/.docker/auth/authentik_custom_templates:/templates"
];
restart = "always";
user = "root";
networks = [
"internal"
];
};
redis.service = {
image = "redis:7.2.4";
command = "--save 60 1 --loglevel warning";
healthcheck = {
test = [
"CMD-SHELL"
"redis-cli ping | grep PONG"
];
start_period = "20s";
interval = "30s";
retries = 5;
timeout = "5s";
};
restart = "always";
volumes = [
"/home/ghoscht/.docker/auth/redis_data:/data"
];
networks = [
"internal"
];
};
postgres.service = {
image = "postgres:12.18";
restart = "always";
env_file = [
"/home/ghoscht/.docker/auth/postgres.env"
];
volumes = [
"/home/ghoscht/.docker/auth/postgres_data:/var/lib/postgresql/data"
];
healthcheck = {
test = [
"CMD-SHELL"
"pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
];
start_period = "20s";
interval = "30s";
retries = 5;
timeout = "5s";
};
networks = [
"internal"
];
};
};
}