mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
120 lines
4.2 KiB
YAML
120 lines
4.2 KiB
YAML
# This is an example of Grist using Authelia and Traefik for OIDC authentication and https encryption.
|
|
|
|
# At a minimum, the following should be changed before hosting this example on the internet:
|
|
# - An SMTP notifier should be setup to allow Authelia to send emails, instead of logging to a file.
|
|
# - DNS should be setup appropriately
|
|
|
|
# Users are defined in ./configs/authelia/user-database.yml
|
|
|
|
# See https://support.getgrist.com for more information.
|
|
|
|
secrets:
|
|
# These secrets are used by Authelia
|
|
JWT_SECRET:
|
|
file: ./secrets/JWT_SECRET
|
|
SESSION_SECRET:
|
|
file: ./secrets/SESSION_SECRET
|
|
STORAGE_ENCRYPTION_KEY:
|
|
file: ./secrets/STORAGE_ENCRYPTION_KEY
|
|
# These secrets are for using Authelia as an OIDC provider
|
|
HMAC_SECRET:
|
|
file: ./secrets/HMAC_SECRET
|
|
|
|
services:
|
|
grist:
|
|
image: gristlabs/grist:latest
|
|
ports:
|
|
- 8484:8484
|
|
environment:
|
|
GRIST_OIDC_IDP_ISSUER: http://dex:5556
|
|
GRIST_OIDC_IDP_CLIENT_ID: grist-client
|
|
GRIST_OIDC_IDP_CLIENT_SECRET: app-secret
|
|
GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: true
|
|
|
|
# Forces Grist to only use a single team called 'Example'
|
|
GRIST_SINGLE_ORG: my-grist-team # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation
|
|
# Force users to login (disable anonymous access)
|
|
GRIST_FORCE_LOGIN: true
|
|
# Base URL Grist redirects to when navigating. Change this to your domain.
|
|
APP_HOME_URL: https://grist.localhost
|
|
# Default email for the "Admin" account
|
|
GRIST_DEFAULT_EMAIL: test@example.org
|
|
volumes:
|
|
# Where to store persistent data, such as documents.
|
|
- ./grist_local_data:/persist
|
|
labels:
|
|
- "traefik.http.services.grist.loadbalancer.server.port=8484"
|
|
- "traefik.http.routers.grist.rule=Host(`grist.localhost`)"
|
|
- "traefik.http.routers.grist.service=grist"
|
|
- "traefik.http.routers.grist.tls.certresolver=letsencrypt"
|
|
#
|
|
# traefik:
|
|
# image: traefik:latest
|
|
# ports:
|
|
# # HTTP Ports
|
|
# - "80:80"
|
|
# - "443:443"
|
|
# # The Web UI (enabled by --api.insecure=true)
|
|
# # - "8080:8080"
|
|
# volumes:
|
|
# # Set the config file for traefik - this is loaded automatically.
|
|
# - ./configs/traefik-config.yml:/etc/traefik/traefik.yml
|
|
# # Set the config file for the dynamic config, such as middleware.
|
|
# - ./configs/traefik-dynamic-config.yml:/etc/traefik/dynamic/dynamic-config.yml
|
|
# # You may want to put state somewhere other than /tmp :-)
|
|
# - /tmp/grist/acme:/acme
|
|
# # Traefik needs docker access when configured via docker labels.
|
|
# - /var/run/docker.sock:/var/run/docker.sock
|
|
# depends_on:
|
|
# grist:
|
|
# condition: service_started
|
|
# authelia:
|
|
# condition: service_started
|
|
|
|
# authelia:
|
|
# image: authelia/authelia:4
|
|
# ports:
|
|
# - 9091:9091
|
|
# secrets:
|
|
# - HMAC_SECRET
|
|
# - JWT_SECRET
|
|
# - SESSION_SECRET
|
|
# - STORAGE_ENCRYPTION_KEY
|
|
# environment:
|
|
# AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
|
|
# AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
|
|
# AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
|
|
# # Domain Grist is hosted at. Custom variable that's interpolated into the Authelia config
|
|
# APP_DOMAIN: 'grist.localhost'
|
|
# volumes:
|
|
# - ./configs/authelia:/config
|
|
# command:
|
|
# - 'authelia'
|
|
# - '--config=/config/configuration.yml'
|
|
# # Enables passing environment variables down to the Authelia config.
|
|
# - '--config.experimental.filters=template'
|
|
# labels:
|
|
# - "traefik.http.services.authelia.loadbalancer.server.port=9091"
|
|
# - "traefik.http.routers.authelia.rule=Host(`auth.grist.localhost`)"
|
|
# - "traefik.http.routers.authelia.service=authelia"
|
|
# - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
|
|
|
|
dex:
|
|
image: dexidp/dex:latest
|
|
ports:
|
|
- 5556:5556
|
|
- 5557:5557
|
|
environment:
|
|
DEX_ISSUER: http://auth.grist.localhost:5556/
|
|
DEX_STORAGE_SQLITE3_CONFIG_FILE: /dex_db/dex.db
|
|
DEX_ENABLE_PASSWORD_DB: true
|
|
DEX_OAUTH2_PASSWORD_CONNECTOR: local
|
|
volumes:
|
|
- ./configs/dex:/config
|
|
- ./dex_db:/dex_db
|
|
command:
|
|
- dex
|
|
- serve
|
|
- /config/config.yaml
|
|
|