mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
119 lines
4.9 KiB
YAML
119 lines
4.9 KiB
YAML
|
secrets:
|
||
|
|
# These secrets are used by Authelia
|
||
|
|
JWT_SECRET:
|
||
|
|
file: ${SECRETS_DIR}/JWT_SECRET
|
||
|
|
SESSION_SECRET:
|
||
|
|
file: ${SECRETS_DIR}/SESSION_SECRET
|
||
|
|
STORAGE_ENCRYPTION_KEY:
|
||
|
|
file: ${SECRETS_DIR}/STORAGE_ENCRYPTION_KEY
|
||
|
|
# These secrets are for using Authelia as an OIDC provider
|
||
|
|
HMAC_SECRET:
|
||
|
|
file: ${SECRETS_DIR}/HMAC_SECRET
|
||
|
|
JWT_PRIVATE_KEY:
|
||
|
|
file: ${SECRETS_DIR}/certs/private.pem
|
||
|
|
GRIST_CLIENT_SECRET_DIGEST:
|
||
|
|
file: ${SECRETS_DIR}/GRIST_CLIENT_SECRET_DIGEST
|
||
|
|
|
||
|
|
services:
|
||
|
|
grist:
|
||
|
|
image: gristlabs/grist:latest
|
||
|
|
environment:
|
||
|
|
# The URL of given OIDC provider. Used for redirects, among other things.
|
||
|
|
GRIST_OIDC_IDP_ISSUER: https://${AUTHELIA_DOMAIN}
|
||
|
|
# Client ID, as configured with the OIDC provider.
|
||
|
|
GRIST_OIDC_IDP_CLIENT_ID: grist-local
|
||
|
|
# Client secret, as provided by the OIDC provider.
|
||
|
|
GRIST_OIDC_IDP_CLIENT_SECRET: ${GRIST_CLIENT_SECRET}
|
||
|
|
# The URL to redirect to with the OIDC provider to log out.
|
||
|
|
# Some OIDC providers will automatically configure this.
|
||
|
|
GRIST_OIDC_IDP_END_SESSION_ENDPOINT: https://${AUTHELIA_DOMAIN}/logout
|
||
|
|
# Allow self-signed certificates so this example behaves correctly.
|
||
|
|
# REMOVE THIS IF HOSTING ON THE INTERNET.
|
||
|
|
NODE_TLS_REJECT_UNAUTHORIZED: 0
|
||
|
|
|
||
|
|
# Forces Grist to only use a single team called 'Example'
|
||
|
|
GRIST_SINGLE_ORG: my-grist-team # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation
|
||
|
|
# Force users to login (disable anonymous access)
|
||
|
|
GRIST_FORCE_LOGIN: true
|
||
|
|
# Base URL Grist redirects to when navigating. Change this to your domain.
|
||
|
|
APP_HOME_URL: https://${GRIST_DOMAIN}
|
||
|
|
# Default email for the "Admin" account
|
||
|
|
GRIST_DEFAULT_EMAIL: ${DEFAULT_EMAIL:-test@example.org}
|
||
|
|
restart: always
|
||
|
|
volumes:
|
||
|
|
# Where to store persistent data, such as documents.
|
||
|
|
- ${PERSIST_DIR}/grist:/persist
|
||
|
|
labels:
|
||
|
|
- "traefik.http.services.grist.loadbalancer.server.port=8484"
|
||
|
|
- "traefik.http.routers.grist.rule=Host(`${GRIST_DOMAIN}`)"
|
||
|
|
- "traefik.http.routers.grist.service=grist"
|
||
|
|
# Uncomment and configure in traefik-config.yml to enable automatic HTTPS certificate setup.
|
||
|
|
#- "traefik.http.routers.grist.tls.certresolver=letsencrypt"
|
||
|
|
depends_on:
|
||
|
|
# Grist attempts to setup OIDC when it starts, making a request to the OIDC service.
|
||
|
|
# This will fail if Authelia isn't ready and reachable.
|
||
|
|
# Traefik will only start routing to Authelia when it's registered as healthy.
|
||
|
|
# Making Grist wait for Authelia to be healthy should avoid this issue.
|
||
|
|
authelia:
|
||
|
|
condition: service_healthy
|
||
|
|
traefik:
|
||
|
|
condition: service_started
|
||
|
|
|
||
|
|
traefik:
|
||
|
|
image: traefik:latest
|
||
|
|
ports:
|
||
|
|
# HTTP Ports
|
||
|
|
- "80:80"
|
||
|
|
- "443:443"
|
||
|
|
# The Web UI (enabled by --api.insecure=true)
|
||
|
|
- "8080:8080"
|
||
|
|
- "8082:8082"
|
||
|
|
volumes:
|
||
|
|
# Set the config file for traefik - this is loaded automatically.
|
||
|
|
- ./configs/traefik/config.yml:/etc/traefik/traefik.yml
|
||
|
|
# Certificate location, if automatic certificate setup is enabled.
|
||
|
|
- ./secrets/acme_certificates:/acme
|
||
|
|
# Traefik needs docker access when configured via docker labels.
|
||
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
||
|
|
networks:
|
||
|
|
default:
|
||
|
|
aliases:
|
||
|
|
# Enables Grist to resolve this domain to Traefik when doing OIDC setup.
|
||
|
|
- ${AUTHELIA_DOMAIN}
|
||
|
|
|
||
|
|
authelia:
|
||
|
|
image: authelia/authelia:4
|
||
|
|
secrets:
|
||
|
|
- HMAC_SECRET
|
||
|
|
- JWT_SECRET
|
||
|
|
- JWT_PRIVATE_KEY
|
||
|
|
- GRIST_CLIENT_SECRET_DIGEST
|
||
|
|
- SESSION_SECRET
|
||
|
|
- STORAGE_ENCRYPTION_KEY
|
||
|
|
environment:
|
||
|
|
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
|
||
|
|
AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
|
||
|
|
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
|
||
|
|
HMAC_SECRET_FILE: '/run/secrets/HMAC_SECRET'
|
||
|
|
JWT_PRIVATE_KEY_FILE: '/run/secrets/JWT_PRIVATE_KEY'
|
||
|
|
# Domain Grist is hosted at. Custom variable that's interpolated into the Authelia config
|
||
|
|
APP_DOMAIN: ${GRIST_DOMAIN}
|
||
|
|
# Where Authelia should redirect to after successful authentication.
|
||
|
|
GRIST_OAUTH_CALLBACK_URL: https://${GRIST_DOMAIN}/oauth2/callback
|
||
|
|
# Hash of the client secret provided to Grist.
|
||
|
|
GRIST_CLIENT_SECRET_DIGEST_FILE: "/run/secrets/GRIST_CLIENT_SECRET_DIGEST"
|
||
|
|
volumes:
|
||
|
|
- ./configs/authelia:/config
|
||
|
|
- ${PERSIST_DIR}/authelia:/persist
|
||
|
|
command:
|
||
|
|
- 'authelia'
|
||
|
|
- '--config=/config/configuration.yml'
|
||
|
|
# Enables templating in the config file
|
||
|
|
- '--config.experimental.filters=template'
|
||
|
|
labels:
|
||
|
|
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
|
||
|
|
- "traefik.http.routers.authelia.rule=Host(`${AUTHELIA_DOMAIN}`)"
|
||
|
|
- "traefik.http.routers.authelia.service=authelia"
|
||
|
|
# Uncomment and configure in traefik-config.yml to enable automatic HTTPS certificate setup.
|
||
|
|
#- "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
|