Refactor authentik.yml and local_services.yml to rename services and add authentication middleware

2024-09-14 16:29:20 +08:00
parent df53a0535a
commit e9f517509d
2 changed files with 48 additions and 8 deletions
@@ -48,7 +48,7 @@ services:
      - redis:/data
    networks:
      - authentik
-  server:
+  authentik-server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.1}
    restart: unless-stopped
    command: server
@@ -70,9 +70,9 @@ services:
    # ports:
    #   - "${COMPOSE_PORT_HTTP:-9000}:9000"
    #   - "${COMPOSE_PORT_HTTPS:-9443}:9443"
-    depends_on:
-      - postgresql
-      - redis
+    # depends_on:
+      # - postgresql
+      # - redis
    networks:
      - authentik
      - traefik-public
@@ -86,7 +86,7 @@ services:
        - traefik.http.routers.authentik-rtr.tls.certresolver=le
        - traefik.http.routers.authentik-rtr.service=authentik-svc
        - traefik.http.services.authentik-svc.loadbalancer.server.port=9000
-  worker:
+  authentik-worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.1}
    restart: unless-stopped
    command: worker
@@ -111,9 +111,30 @@ services:
      - /var/data/authentik/custom-templates:/templates
    # env_file:
    #   - .env
-    depends_on:
-      - postgresql
-      - redis
+    # depends_on:
+      # - postgresql
+      # - redis
    networks:
      - authentik

+  # authentik-proxy:
+  #   image: ghcr.io/goauthentik/proxy
+  #   # ports:
+  #   #   - 9000:9000
+  #   #   - 9443:9443
+  #   environment:
+  #     AUTHENTIK_HOST: https://authentik.${DOMAIN}
+  #     AUTHENTIK_INSECURE: "false"
+  #     AUTHENTIK_TOKEN: token-generated-by-authentik
+  #     # Starting with 2021.9, you can optionally set this too
+  #     # when authentik_host for internal communication doesn't match the public URL
+  #     # AUTHENTIK_HOST_BROWSER: https://external-domain.tld
+  #   labels:
+  #     traefik.enable: true
+  #     traefik.port: 9000
+  #     traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
+  #     # `authentik-proxy` refers to the service name in the compose file.
+  #     traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
+  #     traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
+  #     traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
+  #   restart: unless-stopped
@@ -3,6 +3,25 @@ http:
    pvetransport:
      insecureSkipVerify: true

+  middlewares:
+    authentik:
+      forwardAuth:
+        address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+        - X-authentik-username
+        - X-authentik-groups
+        - X-authentik-email
+        - X-authentik-name
+        - X-authentik-uid
+        - X-authentik-jwt
+        - X-authentik-meta-jwks
+        - X-authentik-meta-outpost
+        - X-authentik-meta-provider
+        - X-authentik-meta-app
+        - X-authentik-meta-version
+        - authorization
+
  routers:
    local-traefik-public-https:
      entryPoints: