several fixes

This commit is contained in:
erebion 2022-12-17 03:53:55 +01:00
parent e2cb78101d
commit 1f24e81f6d
4 changed files with 49 additions and 30 deletions

View file

@ -1,8 +1,8 @@
$ANSIBLE_VAULT;1.1;AES256
38653965373362373633626561363436306535383363306363323934333030653434303238393764
3963303739303161336635643963336365653066656534380a643739333261383731343966613132
65383261343733353263383436616363323739326135346139646564326362386234356262663365
3963616639656131310a343065363336653135666163646664626363386236623064633634636234
36306234626538313563646138663031613031626237333462303038653839303534336630346661
37363737306330626436613763373365663231333165616362346138663866643134336630653061
663332333639616437346239643635363264
66373633656230653931396338653736613131323132663434626133353132613562323538656130
3562653037663735646464656230323234626635343638300a623862363238346539313539353530
34633531323030333965303065666563646330366634363739323634643734373837333566313566
6466653337366637650a316638313638346432346562343731663865376166336533386137653461
36663537393665383931613765656234646535326563313166346566613166333266373935336330
61353666356466623739333262613064623164346133326533313238323433323731653933653062
336431386536613361653963666438326163

View file

@ -11,7 +11,7 @@
path: "{{ item }}"
state: directory
owner: authentik-docker
group: root
group: docker
mode: '0755'
with_items:
- "{{ docker_compose_config_dir }}/authentik"
@ -27,8 +27,8 @@
dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}"
force: true
owner: authentik-docker
group: root
mode: '0600'
group: docker
mode: '0660'
with_items:
- .env
notify: restart-authentik-docker

View file

@ -3,33 +3,33 @@ Description=Authentik in Docker
[Service]
Type=exec
User=authentik-docker
#User=authentik-docker
WorkingDirectory={{ docker_compose_config_dir }}/authentik
ExecStart=docker compose up postgresql redis server worker
Restart=on-failure
RestartSec=30s
# Optional hardening to improve security
ReadWritePaths={{ docker_volumes_dir }}/ /tmp/
NoNewPrivileges=yes
#ReadWritePaths={{ docker_volumes_dir }}/ /tmp/ {{ docker_compose_config_dir }}/
#NoNewPrivileges=yes
#MemoryDenyWriteExecute=true
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=strict
ProtectControlGroups=true
RestrictSUIDSGID=true
RestrictRealtime=true
LockPersonality=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectHostname=true
ProtectKernelModules=true
PrivateUsers=true
ProtectClock=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
#PrivateDevices=yes
#PrivateTmp=yes
#ProtectHome=yes
#ProtectSystem=strict
#ProtectControlGroups=true
#RestrictSUIDSGID=true
#RestrictRealtime=true
#LockPersonality=true
#ProtectKernelLogs=true
#ProtectKernelTunables=true
#ProtectHostname=true
#ProtectKernelModules=true
#PrivateUsers=true
#ProtectClock=true
#SystemCallArchitectures=native
#SystemCallErrorNumber=EPERM
#SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target

View file

@ -17,6 +17,8 @@ services:
- POSTGRES_PASSWORD=${PG_PASS:?database password required}
- POSTGRES_USER=${PG_USER:-authentik}
- POSTGRES_DB=${PG_DB:-authentik}
networks:
- authentik_net
env_file:
- .env
redis:
@ -31,6 +33,8 @@ services:
timeout: 3s
volumes:
- {{ docker_volumes_dir }}/authentik/redis:/data
networks:
- authentik_net
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3}
restart: unless-stopped
@ -49,6 +53,9 @@ services:
- {{ docker_volumes_dir }}/authentik/media:/media
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates
- {{ docker_volumes_dir }}/authentik/geoip:/geoip
networks:
- authentik_net
- nginx_net
env_file:
- .env
expose:
@ -77,12 +84,16 @@ services:
- {{ docker_volumes_dir }}/authentik/certs:/certs
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates
- {{ docker_volumes_dir }}/authentik/geoip:/geoip
networks:
- authentik_net
env_file:
- .env
geoipupdate:
image: "maxmindinc/geoipupdate:latest"
volumes:
- "{{ docker_volumes_dir }}/authentik/geoip:/usr/share/GeoIP"
networks:
- authentik_net
environment:
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
GEOIPUPDATE_FREQUENCY: "8"
@ -96,3 +107,11 @@ volumes:
driver: local
geoip:
driver: local
networks:
authentik_net:
external: false
name: authentik_net
nginx_net:
external: true
name: nginx_net