gristlabs_grist-core/docker-compose-examples/grist-traefik-oidc-auth/docker-compose.yml

118 lines
4.9 KiB
YAML
Raw Normal View History

2024-07-24 01:16:22 +00:00
secrets:
# These secrets are used by Authelia
JWT_SECRET:
file: ./secrets/JWT_SECRET
SESSION_SECRET:
file: ./secrets/SESSION_SECRET
STORAGE_ENCRYPTION_KEY:
file: ./secrets/STORAGE_ENCRYPTION_KEY
2024-07-25 16:09:58 +00:00
# These secrets are for using Authelia as an OIDC provider
HMAC_SECRET:
file: ./secrets/HMAC_SECRET
2024-07-26 14:57:46 +00:00
JWT_PRIVATE_KEY:
file: ./secrets/certs/private.pem
GRIST_CLIENT_SECRET_DIGEST:
file: ./secrets/GRIST_CLIENT_SECRET_DIGEST
2024-07-24 01:16:22 +00:00
services:
2024-07-25 16:09:58 +00:00
grist:
image: gristlabs/grist:latest
environment:
2024-07-26 14:57:46 +00:00
# The URL of given OIDC provider. Used for redirects, among other things.
GRIST_OIDC_IDP_ISSUER: https://auth.grist.localhost
# Client ID, as configured with the OIDC provider.
GRIST_OIDC_IDP_CLIENT_ID: grist-local
# Client secret, as provided by the OIDC provider.
GRIST_OIDC_IDP_CLIENT_SECRET: ${GRIST_CLIENT_SECRET}
# The URL to redirect to with the OIDC provider to log out.
# Some OIDC providers will automatically configure this.
GRIST_OIDC_IDP_END_SESSION_ENDPOINT: https://auth.grist.localhost/logout
# Allow self-signed certificates so this example behaves correctly.
# REMOVE THIS IF HOSTING ON THE INTERNET.
NODE_TLS_REJECT_UNAUTHORIZED: 0
2024-07-24 01:16:22 +00:00
2024-07-25 16:09:58 +00:00
# Forces Grist to only use a single team called 'Example'
GRIST_SINGLE_ORG: my-grist-team # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation
# Force users to login (disable anonymous access)
GRIST_FORCE_LOGIN: true
# Base URL Grist redirects to when navigating. Change this to your domain.
APP_HOME_URL: https://grist.localhost
# Default email for the "Admin" account
GRIST_DEFAULT_EMAIL: test@example.org
2024-07-26 14:57:46 +00:00
restart: always
2024-07-25 16:09:58 +00:00
volumes:
# Where to store persistent data, such as documents.
- ./grist_local_data:/persist
labels:
- "traefik.http.services.grist.loadbalancer.server.port=8484"
- "traefik.http.routers.grist.rule=Host(`grist.localhost`)"
- "traefik.http.routers.grist.service=grist"
2024-07-26 14:57:46 +00:00
# Uncomment and configure in traefik-config.yml to enable automatic HTTPS certificate setup.
#- "traefik.http.routers.grist.tls.certresolver=letsencrypt"
depends_on:
# Grist attempts to setup OIDC when it starts, making a request to the OIDC service.
# This will fail if Authelia isn't ready and reachable.
# Traefik will only start routing to Authelia when it's registered as healthy.
# Making Grist wait for Authelia to be healthy should avoid this issue.
authelia:
condition: service_healthy
traefik:
condition: service_started
2024-07-25 16:09:58 +00:00
2024-07-26 14:57:46 +00:00
traefik:
image: traefik:latest
2024-07-24 01:16:22 +00:00
ports:
2024-07-26 14:57:46 +00:00
# HTTP Ports
- "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
- "8082:8082"
volumes:
# Set the config file for traefik - this is loaded automatically.
- ./configs/traefik/config.yml:/etc/traefik/traefik.yml
# Certificate location, if automatic certificate setup is enabled.
- ./configs/traefik/acme:/acme
# Traefik needs docker access when configured via docker labels.
- /var/run/docker.sock:/var/run/docker.sock
networks:
default:
aliases:
# Enables Grist to resolve this domain to Traefik when doing OIDC setup.
- auth.grist.localhost
authelia:
image: authelia/authelia:4
secrets:
- HMAC_SECRET
- JWT_SECRET
- JWT_PRIVATE_KEY
- GRIST_CLIENT_SECRET_DIGEST
- SESSION_SECRET
- STORAGE_ENCRYPTION_KEY
2024-07-24 01:16:22 +00:00
environment:
2024-07-26 14:57:46 +00:00
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
HMAC_SECRET_FILE: '/run/secrets/HMAC_SECRET'
JWT_PRIVATE_KEY_FILE: '/run/secrets/JWT_PRIVATE_KEY'
# Domain Grist is hosted at. Custom variable that's interpolated into the Authelia config
APP_DOMAIN: 'grist.localhost'
# Where Authelia should redirect to after successful authentication.
GRIST_OAUTH_CALLBACK_URL: https://grist.localhost/oauth2/callback
# Hash of the client secret provided to Grist.
GRIST_CLIENT_SECRET_DIGEST_FILE: "/run/secrets/GRIST_CLIENT_SECRET_DIGEST"
2024-07-24 01:16:22 +00:00
volumes:
2024-07-26 14:57:46 +00:00
- ./configs/authelia:/config
2024-07-24 01:16:22 +00:00
command:
2024-07-26 14:57:46 +00:00
- 'authelia'
- '--config=/config/configuration.yml'
# Enables templating in the config file
- '--config.experimental.filters=template'
labels:
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
- "traefik.http.routers.authelia.rule=Host(`auth.grist.localhost`)"
- "traefik.http.routers.authelia.service=authelia"
# Uncomment and configure in traefik-config.yml to enable automatic HTTPS certificate setup.
#- "traefik.http.routers.authelia.tls.certresolver=letsencrypt"