version: "3.4" volumes: database: driver: local redis: driver: local services: copyparty: image: copyparty/ac container_name: idp_copyparty restart: unless-stopped user: "1000:1000" # should match the user/group of your fileshare volumes volumes: - ./cpp/:/cfg:z # the copyparty config folder - /srv/pub:/w:z # this is where we declare that "/srv/pub" is the filesystem-path on the server that shall be shared online ports: - 3923 labels: - "traefik.enable=true" - "traefik.http.routers.fs.entrypoints=http" - "traefik.http.routers.fs.rule=Host(`fs.example.com`)" - "traefik.http.middlewares.fs-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.fs.middlewares=fs-https-redirect" - "traefik.http.routers.fs-secure.entrypoints=https" - "traefik.http.routers.fs-secure.rule=Host(`fs.example.com`)" - "traefik.http.routers.fs-secure.tls=true" - "traefik.http.routers.fs-secure.tls.certresolver=cloudflare" - "traefik.http.routers.fs-secure.service=fs" - "traefik.http.services.fs.loadbalancer.server.port=3923" - 'traefik.http.routers.fs.middlewares=ak-forwardauth@docker' # using authentik built-in docker outpost - "traefik.docker.network=proxy" depends_on: - authentik_server stop_grace_period: 15s # thumbnailer is allowed to continue finishing up for 10s after the shutdown signal environment: LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE # enable mimalloc by replacing "NOPE" with "2" for a nice speed-boost (will use twice as much ram) PYTHONUNBUFFERED: 1 # ensures log-messages are not delayed (but can reduce speed a tiny bit) networks: - proxy traefik: image: traefik:latest container_name: traefik volumes: - /var/run/docker.sock:/var/run/docker.sock # WARNING: this gives traefik full root-access to the host OS, but is recommended/required(?) by traefik security_opt: - label:disable # disable selinux because it (rightly) blocks access to docker.sock ports: - 80:80 command: - '--api' - '--providers.docker=true' - '--providers.docker.exposedByDefault=false' - '--entrypoints.web.address=:80' labels: - "traefik.enable=true" #To allow for custom headers to be forwarded - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https" networks: - proxy postgresql: image: docker.io/library/postgres:12-alpine container_name: idp_postgresql restart: unless-stopped healthcheck: test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] start_period: 20s interval: 30s retries: 5 timeout: 5s volumes: - database:/var/lib/postgresql/data:z environment: POSTGRES_PASSWORD: postgrass POSTGRES_USER: authentik POSTGRES_DB: authentik env_file: - .env networks: - authentik-backend redis: image: docker.io/library/redis:alpine command: --save 60 1 --loglevel warning container_name: idp_redis restart: unless-stopped healthcheck: test: ["CMD-SHELL", "redis-cli ping | grep PONG"] start_period: 20s interval: 30s retries: 5 timeout: 3s volumes: - redis:/data:z networks: - authentik-backend authentik_server: image: ghcr.io/goauthentik/server:2024.2.1 container_name: idp_authentik_server restart: unless-stopped command: server environment: AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: postgrass volumes: - ./media:/media:z - ./custom-templates:/templates:z env_file: - .env ports: #can be commented out if you only want to access authentik via traefik - 9000 - 9443 depends_on: - postgresql - redis labels: # Https setup with Cloudflare as DNS provider for certresolver - "traefik.enable=true" - "traefik.http.routers.authentik.entrypoints=http" - "traefik.http.routers.authentik.rule=Host(`auth.example.com`)" - "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.authentik.middlewares=authentik-https-redirect" - "traefik.http.routers.authentik-secure.entrypoints=https" - "traefik.http.routers.authentik-secure.rule=Host(`auth.example.com`)" - "traefik.http.routers.authentik-secure.tls=true" - "traefik.http.routers.authentik-secure.tls.certresolver=cloudflare" - "traefik.http.routers.authentik-secure.service=authentik" - "traefik.http.services.authentik.loadbalancer.server.port=9000" - "traefik.docker.network=proxy" # ForwardAuth middleware → embedded outpost (internal URL!) will work for all services on the same docker network - "traefik.http.middlewares.ak-forwardauth.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik" - "traefik.http.middlewares.ak-forwardauth.forwardauth.trustForwardHeader=true" # Choose which headers you want forwarded to the backend from https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_traefik/ - "traefik.http.middlewares.ak-forwardauth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups" networks: - proxy - authentik-backend authentik_worker: image: ghcr.io/goauthentik/server:2024.2.1 container_name: idp_authentik_worker restart: unless-stopped command: worker environment: AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: postgrass # `user: root` and the docker socket volume are optional. # See more for the docker socket integration here: # https://goauthentik.io/docs/outposts/integrations/docker # Removing `user: root` also prevents the worker from fixing the permissions # on the mounted folders, so when removing this make sure the folders have the correct UID/GID # (1000:1000 by default) user: root volumes: - /var/run/docker.sock:/var/run/docker.sock - ./media:/media:z - ./certs:/certs:z - ./custom-templates:/templates:z env_file: - .env depends_on: - postgresql - redis networks: - proxy - authentik-backend #you have to manually create this network before starting docker-compose networks: proxy: external: true authentik-backend: