several fixes
This commit is contained in:
parent
e2cb78101d
commit
1f24e81f6d
4 changed files with 49 additions and 30 deletions
|
@ -1,8 +1,8 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
38653965373362373633626561363436306535383363306363323934333030653434303238393764
|
||||
3963303739303161336635643963336365653066656534380a643739333261383731343966613132
|
||||
65383261343733353263383436616363323739326135346139646564326362386234356262663365
|
||||
3963616639656131310a343065363336653135666163646664626363386236623064633634636234
|
||||
36306234626538313563646138663031613031626237333462303038653839303534336630346661
|
||||
37363737306330626436613763373365663231333165616362346138663866643134336630653061
|
||||
663332333639616437346239643635363264
|
||||
66373633656230653931396338653736613131323132663434626133353132613562323538656130
|
||||
3562653037663735646464656230323234626635343638300a623862363238346539313539353530
|
||||
34633531323030333965303065666563646330366634363739323634643734373837333566313566
|
||||
6466653337366637650a316638313638346432346562343731663865376166336533386137653461
|
||||
36663537393665383931613765656234646535326563313166346566613166333266373935336330
|
||||
61353666356466623739333262613064623164346133326533313238323433323731653933653062
|
||||
336431386536613361653963666438326163
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: authentik-docker
|
||||
group: root
|
||||
group: docker
|
||||
mode: '0755'
|
||||
with_items:
|
||||
- "{{ docker_compose_config_dir }}/authentik"
|
||||
|
@ -27,8 +27,8 @@
|
|||
dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}"
|
||||
force: true
|
||||
owner: authentik-docker
|
||||
group: root
|
||||
mode: '0600'
|
||||
group: docker
|
||||
mode: '0660'
|
||||
with_items:
|
||||
- .env
|
||||
notify: restart-authentik-docker
|
||||
|
|
|
@ -3,33 +3,33 @@ Description=Authentik in Docker
|
|||
|
||||
[Service]
|
||||
Type=exec
|
||||
User=authentik-docker
|
||||
#User=authentik-docker
|
||||
WorkingDirectory={{ docker_compose_config_dir }}/authentik
|
||||
ExecStart=docker compose up postgresql redis server worker
|
||||
Restart=on-failure
|
||||
RestartSec=30s
|
||||
|
||||
# Optional hardening to improve security
|
||||
ReadWritePaths={{ docker_volumes_dir }}/ /tmp/
|
||||
NoNewPrivileges=yes
|
||||
#ReadWritePaths={{ docker_volumes_dir }}/ /tmp/ {{ docker_compose_config_dir }}/
|
||||
#NoNewPrivileges=yes
|
||||
#MemoryDenyWriteExecute=true
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectHome=yes
|
||||
ProtectSystem=strict
|
||||
ProtectControlGroups=true
|
||||
RestrictSUIDSGID=true
|
||||
RestrictRealtime=true
|
||||
LockPersonality=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelModules=true
|
||||
PrivateUsers=true
|
||||
ProtectClock=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallErrorNumber=EPERM
|
||||
SystemCallFilter=@system-service
|
||||
#PrivateDevices=yes
|
||||
#PrivateTmp=yes
|
||||
#ProtectHome=yes
|
||||
#ProtectSystem=strict
|
||||
#ProtectControlGroups=true
|
||||
#RestrictSUIDSGID=true
|
||||
#RestrictRealtime=true
|
||||
#LockPersonality=true
|
||||
#ProtectKernelLogs=true
|
||||
#ProtectKernelTunables=true
|
||||
#ProtectHostname=true
|
||||
#ProtectKernelModules=true
|
||||
#PrivateUsers=true
|
||||
#ProtectClock=true
|
||||
#SystemCallArchitectures=native
|
||||
#SystemCallErrorNumber=EPERM
|
||||
#SystemCallFilter=@system-service
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
@ -17,6 +17,8 @@ services:
|
|||
- POSTGRES_PASSWORD=${PG_PASS:?database password required}
|
||||
- POSTGRES_USER=${PG_USER:-authentik}
|
||||
- POSTGRES_DB=${PG_DB:-authentik}
|
||||
networks:
|
||||
- authentik_net
|
||||
env_file:
|
||||
- .env
|
||||
redis:
|
||||
|
@ -31,6 +33,8 @@ services:
|
|||
timeout: 3s
|
||||
volumes:
|
||||
- {{ docker_volumes_dir }}/authentik/redis:/data
|
||||
networks:
|
||||
- authentik_net
|
||||
server:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3}
|
||||
restart: unless-stopped
|
||||
|
@ -49,6 +53,9 @@ services:
|
|||
- {{ docker_volumes_dir }}/authentik/media:/media
|
||||
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates
|
||||
- {{ docker_volumes_dir }}/authentik/geoip:/geoip
|
||||
networks:
|
||||
- authentik_net
|
||||
- nginx_net
|
||||
env_file:
|
||||
- .env
|
||||
expose:
|
||||
|
@ -77,12 +84,16 @@ services:
|
|||
- {{ docker_volumes_dir }}/authentik/certs:/certs
|
||||
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates
|
||||
- {{ docker_volumes_dir }}/authentik/geoip:/geoip
|
||||
networks:
|
||||
- authentik_net
|
||||
env_file:
|
||||
- .env
|
||||
geoipupdate:
|
||||
image: "maxmindinc/geoipupdate:latest"
|
||||
volumes:
|
||||
- "{{ docker_volumes_dir }}/authentik/geoip:/usr/share/GeoIP"
|
||||
networks:
|
||||
- authentik_net
|
||||
environment:
|
||||
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
|
||||
GEOIPUPDATE_FREQUENCY: "8"
|
||||
|
@ -96,3 +107,11 @@ volumes:
|
|||
driver: local
|
||||
geoip:
|
||||
driver: local
|
||||
|
||||
networks:
|
||||
authentik_net:
|
||||
external: false
|
||||
name: authentik_net
|
||||
nginx_net:
|
||||
external: true
|
||||
name: nginx_net
|
||||
|
|
Loading…
Reference in a new issue