From e9f517509d69a6cdbcadc97b2b4bcd2ec5e49942 Mon Sep 17 00:00:00 2001
From: Teck Meng <furyx@hotmail.com>
Date: Sat, 14 Sep 2024 16:29:20 +0800
Subject: [PATCH] Refactor authentik.yml and local_services.yml to rename
 services and add authentication middleware

---
 swarm/authentik.yml              | 37 +++++++++++++++++++++++++-------
 swarm/traefik/local_services.yml | 19 ++++++++++++++++
 2 files changed, 48 insertions(+), 8 deletions(-)

diff --git a/swarm/authentik.yml b/swarm/authentik.yml
index cc670a3..a6bdf50 100644
--- a/swarm/authentik.yml
+++ b/swarm/authentik.yml
@@ -48,7 +48,7 @@ services:
       - redis:/data
     networks:
       - authentik
-  server:
+  authentik-server:
     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.1}
     restart: unless-stopped
     command: server
@@ -70,9 +70,9 @@ services:
     # ports:
     #   - "${COMPOSE_PORT_HTTP:-9000}:9000"
     #   - "${COMPOSE_PORT_HTTPS:-9443}:9443"
-    depends_on:
-      - postgresql
-      - redis
+    # depends_on:
+      # - postgresql
+      # - redis
     networks:
       - authentik
       - traefik-public
@@ -86,7 +86,7 @@ services:
         - traefik.http.routers.authentik-rtr.tls.certresolver=le
         - traefik.http.routers.authentik-rtr.service=authentik-svc
         - traefik.http.services.authentik-svc.loadbalancer.server.port=9000
-  worker:
+  authentik-worker:
     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.1}
     restart: unless-stopped
     command: worker
@@ -111,9 +111,30 @@ services:
       - /var/data/authentik/custom-templates:/templates
     # env_file:
     #   - .env
-    depends_on:
-      - postgresql
-      - redis
+    # depends_on:
+      # - postgresql
+      # - redis
     networks:
       - authentik
 
+  # authentik-proxy:
+  #   image: ghcr.io/goauthentik/proxy
+  #   # ports:
+  #   #   - 9000:9000
+  #   #   - 9443:9443
+  #   environment:
+  #     AUTHENTIK_HOST: https://authentik.${DOMAIN}
+  #     AUTHENTIK_INSECURE: "false"
+  #     AUTHENTIK_TOKEN: token-generated-by-authentik
+  #     # Starting with 2021.9, you can optionally set this too
+  #     # when authentik_host for internal communication doesn't match the public URL
+  #     # AUTHENTIK_HOST_BROWSER: https://external-domain.tld
+  #   labels:
+  #     traefik.enable: true
+  #     traefik.port: 9000
+  #     traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
+  #     # `authentik-proxy` refers to the service name in the compose file.
+  #     traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
+  #     traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
+  #     traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
+  #   restart: unless-stopped
\ No newline at end of file
diff --git a/swarm/traefik/local_services.yml b/swarm/traefik/local_services.yml
index ae6aa7e..774826a 100644
--- a/swarm/traefik/local_services.yml
+++ b/swarm/traefik/local_services.yml
@@ -3,6 +3,25 @@ http:
     pvetransport:
       insecureSkipVerify: true
 
+  middlewares:
+    authentik:
+      forwardAuth:
+        address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+        - X-authentik-username
+        - X-authentik-groups
+        - X-authentik-email
+        - X-authentik-name
+        - X-authentik-uid
+        - X-authentik-jwt
+        - X-authentik-meta-jwks
+        - X-authentik-meta-outpost
+        - X-authentik-meta-provider
+        - X-authentik-meta-app
+        - X-authentik-meta-version
+        - authorization
+
   routers:
     local-traefik-public-https:
       entryPoints: