several fixes
This commit is contained in:
parent
e2cb78101d
commit
1f24e81f6d
4 changed files with 49 additions and 30 deletions
|
|
@ -1,8 +1,8 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
38653965373362373633626561363436306535383363306363323934333030653434303238393764
|
66373633656230653931396338653736613131323132663434626133353132613562323538656130
|
||||||
3963303739303161336635643963336365653066656534380a643739333261383731343966613132
|
3562653037663735646464656230323234626635343638300a623862363238346539313539353530
|
||||||
65383261343733353263383436616363323739326135346139646564326362386234356262663365
|
34633531323030333965303065666563646330366634363739323634643734373837333566313566
|
||||||
3963616639656131310a343065363336653135666163646664626363386236623064633634636234
|
6466653337366637650a316638313638346432346562343731663865376166336533386137653461
|
||||||
36306234626538313563646138663031613031626237333462303038653839303534336630346661
|
36663537393665383931613765656234646535326563313166346566613166333266373935336330
|
||||||
37363737306330626436613763373365663231333165616362346138663866643134336630653061
|
61353666356466623739333262613064623164346133326533313238323433323731653933653062
|
||||||
663332333639616437346239643635363264
|
336431386536613361653963666438326163
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: authentik-docker
|
owner: authentik-docker
|
||||||
group: root
|
group: docker
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ docker_compose_config_dir }}/authentik"
|
- "{{ docker_compose_config_dir }}/authentik"
|
||||||
|
|
@ -27,8 +27,8 @@
|
||||||
dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}"
|
dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}"
|
||||||
force: true
|
force: true
|
||||||
owner: authentik-docker
|
owner: authentik-docker
|
||||||
group: root
|
group: docker
|
||||||
mode: '0600'
|
mode: '0660'
|
||||||
with_items:
|
with_items:
|
||||||
- .env
|
- .env
|
||||||
notify: restart-authentik-docker
|
notify: restart-authentik-docker
|
||||||
|
|
|
||||||
|
|
@ -3,33 +3,33 @@ Description=Authentik in Docker
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=exec
|
Type=exec
|
||||||
User=authentik-docker
|
#User=authentik-docker
|
||||||
WorkingDirectory={{ docker_compose_config_dir }}/authentik
|
WorkingDirectory={{ docker_compose_config_dir }}/authentik
|
||||||
ExecStart=docker compose up postgresql redis server worker
|
ExecStart=docker compose up postgresql redis server worker
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
RestartSec=30s
|
RestartSec=30s
|
||||||
|
|
||||||
# Optional hardening to improve security
|
# Optional hardening to improve security
|
||||||
ReadWritePaths={{ docker_volumes_dir }}/ /tmp/
|
#ReadWritePaths={{ docker_volumes_dir }}/ /tmp/ {{ docker_compose_config_dir }}/
|
||||||
NoNewPrivileges=yes
|
#NoNewPrivileges=yes
|
||||||
#MemoryDenyWriteExecute=true
|
#MemoryDenyWriteExecute=true
|
||||||
PrivateDevices=yes
|
#PrivateDevices=yes
|
||||||
PrivateTmp=yes
|
#PrivateTmp=yes
|
||||||
ProtectHome=yes
|
#ProtectHome=yes
|
||||||
ProtectSystem=strict
|
#ProtectSystem=strict
|
||||||
ProtectControlGroups=true
|
#ProtectControlGroups=true
|
||||||
RestrictSUIDSGID=true
|
#RestrictSUIDSGID=true
|
||||||
RestrictRealtime=true
|
#RestrictRealtime=true
|
||||||
LockPersonality=true
|
#LockPersonality=true
|
||||||
ProtectKernelLogs=true
|
#ProtectKernelLogs=true
|
||||||
ProtectKernelTunables=true
|
#ProtectKernelTunables=true
|
||||||
ProtectHostname=true
|
#ProtectHostname=true
|
||||||
ProtectKernelModules=true
|
#ProtectKernelModules=true
|
||||||
PrivateUsers=true
|
#PrivateUsers=true
|
||||||
ProtectClock=true
|
#ProtectClock=true
|
||||||
SystemCallArchitectures=native
|
#SystemCallArchitectures=native
|
||||||
SystemCallErrorNumber=EPERM
|
#SystemCallErrorNumber=EPERM
|
||||||
SystemCallFilter=@system-service
|
#SystemCallFilter=@system-service
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,8 @@ services:
|
||||||
- POSTGRES_PASSWORD=${PG_PASS:?database password required}
|
- POSTGRES_PASSWORD=${PG_PASS:?database password required}
|
||||||
- POSTGRES_USER=${PG_USER:-authentik}
|
- POSTGRES_USER=${PG_USER:-authentik}
|
||||||
- POSTGRES_DB=${PG_DB:-authentik}
|
- POSTGRES_DB=${PG_DB:-authentik}
|
||||||
|
networks:
|
||||||
|
- authentik_net
|
||||||
env_file:
|
env_file:
|
||||||
- .env
|
- .env
|
||||||
redis:
|
redis:
|
||||||
|
|
@ -31,6 +33,8 @@ services:
|
||||||
timeout: 3s
|
timeout: 3s
|
||||||
volumes:
|
volumes:
|
||||||
- {{ docker_volumes_dir }}/authentik/redis:/data
|
- {{ docker_volumes_dir }}/authentik/redis:/data
|
||||||
|
networks:
|
||||||
|
- authentik_net
|
||||||
server:
|
server:
|
||||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3}
|
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3}
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
|
@ -49,6 +53,9 @@ services:
|
||||||
- {{ docker_volumes_dir }}/authentik/media:/media
|
- {{ docker_volumes_dir }}/authentik/media:/media
|
||||||
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates
|
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates
|
||||||
- {{ docker_volumes_dir }}/authentik/geoip:/geoip
|
- {{ docker_volumes_dir }}/authentik/geoip:/geoip
|
||||||
|
networks:
|
||||||
|
- authentik_net
|
||||||
|
- nginx_net
|
||||||
env_file:
|
env_file:
|
||||||
- .env
|
- .env
|
||||||
expose:
|
expose:
|
||||||
|
|
@ -77,12 +84,16 @@ services:
|
||||||
- {{ docker_volumes_dir }}/authentik/certs:/certs
|
- {{ docker_volumes_dir }}/authentik/certs:/certs
|
||||||
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates
|
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates
|
||||||
- {{ docker_volumes_dir }}/authentik/geoip:/geoip
|
- {{ docker_volumes_dir }}/authentik/geoip:/geoip
|
||||||
|
networks:
|
||||||
|
- authentik_net
|
||||||
env_file:
|
env_file:
|
||||||
- .env
|
- .env
|
||||||
geoipupdate:
|
geoipupdate:
|
||||||
image: "maxmindinc/geoipupdate:latest"
|
image: "maxmindinc/geoipupdate:latest"
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ docker_volumes_dir }}/authentik/geoip:/usr/share/GeoIP"
|
- "{{ docker_volumes_dir }}/authentik/geoip:/usr/share/GeoIP"
|
||||||
|
networks:
|
||||||
|
- authentik_net
|
||||||
environment:
|
environment:
|
||||||
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
|
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
|
||||||
GEOIPUPDATE_FREQUENCY: "8"
|
GEOIPUPDATE_FREQUENCY: "8"
|
||||||
|
|
@ -96,3 +107,11 @@ volumes:
|
||||||
driver: local
|
driver: local
|
||||||
geoip:
|
geoip:
|
||||||
driver: local
|
driver: local
|
||||||
|
|
||||||
|
networks:
|
||||||
|
authentik_net:
|
||||||
|
external: false
|
||||||
|
name: authentik_net
|
||||||
|
nginx_net:
|
||||||
|
external: true
|
||||||
|
name: nginx_net
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue