diff --git a/bundles/docker-goauthentik/metadata.py b/bundles/docker-goauthentik/metadata.py new file mode 100644 index 0000000..8cae899 --- /dev/null +++ b/bundles/docker-goauthentik/metadata.py @@ -0,0 +1,89 @@ +assert node.has_bundle('docker-engine') + +defaults = { + 'docker-engine': { + 'containers': { + 'goauthentik-server': { + 'image': 'ghcr.io/goauthentik/server:latest', + 'command': 'server', + 'environment': { + 'AUTHENTIK_POSTGRESQL__HOST': 'goauthentik-postgresql', + 'AUTHENTIK_POSTGRESQL__NAME': 'goauthentik', + 'AUTHENTIK_POSTGRESQL__PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'), + 'AUTHENTIK_POSTGRESQL__USER': 'goauthentik', + 'AUTHENTIK_REDIS__HOST': 'goauthentik-redis', + 'AUTHENTIK_SECRET_KEY': repo.vault.password_for(f'{node.name} goauthentik secret key'), + }, + 'volumes': { + 'media': '/media', + 'templates': '/templates', + }, + 'ports': { + '9000': '9000', + '9443': '9443', + }, + 'needs': { + 'svc_systemd:docker-goauthentik-postgresql', + 'svc_systemd:docker-goauthentik-redis', + }, + 'requires': { + 'docker-goauthentik-postgresql.service', + 'docker-goauthentik-redis.service', + }, + }, + 'goauthentik-worker': { + 'image': 'ghcr.io/goauthentik/server:latest', + 'command': 'worker', + 'user': 'docker-goauthentik-server', + 'environment': { + 'AUTHENTIK_POSTGRESQL__HOST': 'goauthentik-postgresql', + 'AUTHENTIK_POSTGRESQL__NAME': 'goauthentik', + 'AUTHENTIK_POSTGRESQL__PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'), + 'AUTHENTIK_POSTGRESQL__USER': 'goauthentik', + 'AUTHENTIK_REDIS__HOST': 'goauthentik-redis', + 'AUTHENTIK_SECRET_KEY': repo.vault.password_for(f'{node.name} goauthentik secret key'), + }, + 'volumes': { + '/var/opt/docker-engine/goauthentik-server/media': '/media', + '/var/opt/docker-engine/goauthentik-server/certs': '/certs', + '/var/opt/docker-engine/doauthentik-server/templates': '/templates', + }, + 'needs': { + 'svc_systemd:docker-goauthentik-postgresql', + 'svc_systemd:docker-goauthentik-redis', + }, + 'requires': { + 'docker-goauthentik-postgresql.service', + 'docker-goauthentik-redis.service', + }, + }, + 'goauthentik-postgresql': { + 'image': 'docker.io/library/postgres:16-alpine', + 'environment': { + 'POSTGRES_PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'), + 'POSTGRES_USER': 'goauthentik', + 'POSTGRES_DB': 'goauthentik', + }, + 'volumes': { + 'database': '/var/lib/postgresql/data', + }, + }, + 'goauthentik-redis': { + 'image': 'docker.io/library/redis:alpine', + }, + }, + }, + 'nginx': { + 'vhosts': { + 'goauthentik': { + 'locations': { + '/': { + 'target': 'http://127.0.0.1:9000/', + 'websockets': True, + 'max_body_size': '5000m', + }, + }, + }, + }, + }, +} diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 54a5fe1..407bb70 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -5,6 +5,7 @@ groups = [ ] bundles = [ "docker-engine", + "docker-goauthentik", "docker-immich", "ipmitool", "redis", @@ -27,6 +28,9 @@ gateway6 = "2001:67c:b54:1::1" redirect = "https://www.rottenraptor.com/" mode = 302 +[metadata.nginx.vhosts.goauthentik] +domain = "sso.rotten.city" + [metadata.nginx.vhosts.immich] domain = "immich.rotten.city"