chore: first update for docker-compose files

2025-08-17 17:12:13 -06:00 · 2025-07-31 13:37:08 +02:00 · 2025-07-31 13:37:08 +02:00 · 62edda5f9f
parent f24c972216
commit 62edda5f9f
2 changed files with 78 additions and 33 deletions
--- a/docs/examples/docker/idp-authelia-traefik/docker-compose.yml
+++ b/docs/examples/docker/idp-authelia-traefik/docker-compose.yml
@ -6,7 +6,7 @@ networks:

 services:
  copyparty:
-    image: copyparty/ac
+    image: copyparty/ac:latest
    container_name: idp_copyparty
    user: "1000:1000"  # should match the user/group of your fileshare volumes
    volumes:
@ -19,14 +19,13 @@ services:
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.copyparty.rule=Host(`fs.example.com`)'
-      - 'traefik.http.routers.copyparty.entrypoints=https'
+      - 'traefik.http.routers.copyparty.entrypoints=websecure'
      - 'traefik.http.routers.copyparty.tls=true'
      - 'traefik.http.routers.copyparty.middlewares=authelia@docker'
    stop_grace_period: 15s  # thumbnailer is allowed to continue finishing up for 10s after the shutdown signal
    environment:
      LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE
      # enable mimalloc by replacing "NOPE" with "2" for a nice speed-boost (will use twice as much ram)
-
      PYTHONUNBUFFERED: 1
      # ensures log-messages are not delayed (but can reduce speed a tiny bit)

@ -40,7 +39,7 @@ services:
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
-      - 'traefik.http.routers.authelia.entrypoints=https'
+      - 'traefik.http.routers.authelia.entrypoints=websecure'
      - 'traefik.http.routers.authelia.tls=true'
      #- 'traefik.http.routers.authelia.tls.certresolver=letsencrypt'  # uncomment this to enable automatic certificate signing (1/2)
      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https://authelia.example.com'
@ -54,11 +53,11 @@ services:
    environment:
      - TZ=Etc/UTC

-  redis:
-    image: redis:7.2.4-alpine3.19
-    container_name: idp_redis
+  valkey:
+    image: valkey/valkey:8.0-alpine
+    container_name: idp_valkey
    volumes:
-      - ./redis:/data:z
+      - ./valkey:/data:z
    networks:
      - net
    expose:
@ -67,14 +66,34 @@ services:
    environment:
      - TZ=Etc/UTC

+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:3.2.3
+    container_name: idp_socket_proxy
+    restart: unless-stopped
+    environment:
+      - CONTAINERS=1
+      - NETWORKS=1
+      - EVENTS=1
+      - PING=1 
+      - VERSION=1
+      - LOG_LEVEL=warning
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /run:noexec,nosuid,size=10m
+    networks:
+      - net
+    expose:
+      - 2375
+
  traefik:
-    image: traefik:2.11.0
+    image: traefik:3.5
    container_name: idp_traefik
    volumes:
      - ./traefik:/etc/traefik:z
-      - /var/run/docker.sock:/var/run/docker.sock  # WARNING: this gives traefik full root-access to the host OS, but is recommended/required(?) by traefik
-    security_opt:
-      - label:disable  # disable selinux because it (rightly) blocks access to docker.sock
    networks:
      - net
    labels:
@ -90,16 +109,16 @@ services:
      - '443:443'
    command:
      - '--api'
-      - '--providers.docker=true'
+      - '--providers.docker.endpoint=tcp://socket-proxy:2375'
      - '--providers.docker.exposedByDefault=false'
-      - '--entrypoints.http=true'
-      - '--entrypoints.http.address=:80'
-      - '--entrypoints.http.http.redirections.entrypoint.to=https'
-      - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
-      - '--entrypoints.https=true'
-      - '--entrypoints.https.address=:443'
+      - '--entrypoints.web.address=:80'
+      - '--entrypoints.web.http.redirections.entrypoint.to=websecure'
+      - '--entrypoints.web.http.redirections.entrypoint.scheme=https'
+      - '--entrypoints.websecure.address=:443'
      - '--certificatesResolvers.letsencrypt.acme.email=your-email@your-domain.com'
      - '--certificatesResolvers.letsencrypt.acme.storage=/etc/traefik/acme.json'
      - '--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http'
-      - '--log=true'
+      
      - '--log.level=WARNING'  # DEBUG
+    depends_on:
+      - idp_socket_proxy
--- a/docs/examples/docker/idp-authentik-traefik/docker-compose.yml
+++ b/docs/examples/docker/idp-authentik-traefik/docker-compose.yml
@ -3,12 +3,12 @@
 volumes:
  database:
    driver: local
-  redis:
+  valkey:
    driver: local

 services:
  copyparty:
-    image: copyparty/ac
+    image: copyparty/ac:latest
    container_name: idp_copyparty
    restart: unless-stopped
    user: "1000:1000"  # should match the user/group of your fileshare volumes
@ -30,20 +30,46 @@ services:
      PYTHONUNBUFFERED: 1
      # ensures log-messages are not delayed (but can reduce speed a tiny bit)

+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:3.2.3
+    container_name: idp_socket_proxy
+    restart: unless-stopped
+    environment:
+      - CONTAINERS=1
+      - NETWORKS=1
+      - EVENTS=1
+      - PING=1 
+      - VERSION=1
+      - LOG_LEVEL=warning
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /run:noexec,nosuid,size=10m
+    expose:
+      - 2375
+
  traefik:
-    image: traefik:v2.11
+    image: traefik:3.5
    container_name: traefik
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock  # WARNING: this gives traefik full root-access to the host OS, but is recommended/required(?) by traefik
-    security_opt:
-      - label:disable  # disable selinux because it (rightly) blocks access to docker.sock
+      - ./traefik:/etc/traefik:Z
    ports:
-      - 80:80
+      - "80:80"
+      - "443:443"
    command:
      - '--api'
-      - '--providers.docker=true'
+      - '--providers.docker.endpoint=tcp://socket-proxy:2375'
      - '--providers.docker.exposedByDefault=false'
      - '--entrypoints.web.address=:80'
+      - '--entrypoints.web.http.redirections.entrypoint.to=websecure'
+      - '--entrypoints.web.http.redirections.entrypoint.scheme=https'
+      - '--entrypoints.websecure.address=:443'
+      - '--log.level=WARNING'
+    depends_on:
+      - idp_socket_proxy

  postgresql:
    image: docker.io/library/postgres:12-alpine
@ -64,19 +90,19 @@ services:
    env_file:
      - .env

-  redis:
-    image: docker.io/library/redis:alpine
+  valkey:
+    image: valkey/valkey:8.0-alpine
    command: --save 60 1 --loglevel warning
-    container_name: idp_redis
+    container_name: idp_valkey
    restart: unless-stopped
    healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      test: ["CMD-SHELL", "valkey-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
-      - redis:/data:z
+      - valkey:/data:z

  authentik_server:
    image: ghcr.io/goauthentik/server:2024.2.1