several fixes

This commit is contained in:
erebion 2022-12-17 03:53:55 +01:00
parent e2cb78101d
commit 1f24e81f6d
4 changed files with 49 additions and 30 deletions

View file

@ -1,8 +1,8 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
38653965373362373633626561363436306535383363306363323934333030653434303238393764 66373633656230653931396338653736613131323132663434626133353132613562323538656130
3963303739303161336635643963336365653066656534380a643739333261383731343966613132 3562653037663735646464656230323234626635343638300a623862363238346539313539353530
65383261343733353263383436616363323739326135346139646564326362386234356262663365 34633531323030333965303065666563646330366634363739323634643734373837333566313566
3963616639656131310a343065363336653135666163646664626363386236623064633634636234 6466653337366637650a316638313638346432346562343731663865376166336533386137653461
36306234626538313563646138663031613031626237333462303038653839303534336630346661 36663537393665383931613765656234646535326563313166346566613166333266373935336330
37363737306330626436613763373365663231333165616362346138663866643134336630653061 61353666356466623739333262613064623164346133326533313238323433323731653933653062
663332333639616437346239643635363264 336431386536613361653963666438326163

View file

@ -11,7 +11,7 @@
path: "{{ item }}" path: "{{ item }}"
state: directory state: directory
owner: authentik-docker owner: authentik-docker
group: root group: docker
mode: '0755' mode: '0755'
with_items: with_items:
- "{{ docker_compose_config_dir }}/authentik" - "{{ docker_compose_config_dir }}/authentik"
@ -27,8 +27,8 @@
dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}" dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}"
force: true force: true
owner: authentik-docker owner: authentik-docker
group: root group: docker
mode: '0600' mode: '0660'
with_items: with_items:
- .env - .env
notify: restart-authentik-docker notify: restart-authentik-docker

View file

@ -3,33 +3,33 @@ Description=Authentik in Docker
[Service] [Service]
Type=exec Type=exec
User=authentik-docker #User=authentik-docker
WorkingDirectory={{ docker_compose_config_dir }}/authentik WorkingDirectory={{ docker_compose_config_dir }}/authentik
ExecStart=docker compose up postgresql redis server worker ExecStart=docker compose up postgresql redis server worker
Restart=on-failure Restart=on-failure
RestartSec=30s RestartSec=30s
# Optional hardening to improve security # Optional hardening to improve security
ReadWritePaths={{ docker_volumes_dir }}/ /tmp/ #ReadWritePaths={{ docker_volumes_dir }}/ /tmp/ {{ docker_compose_config_dir }}/
NoNewPrivileges=yes #NoNewPrivileges=yes
#MemoryDenyWriteExecute=true #MemoryDenyWriteExecute=true
PrivateDevices=yes #PrivateDevices=yes
PrivateTmp=yes #PrivateTmp=yes
ProtectHome=yes #ProtectHome=yes
ProtectSystem=strict #ProtectSystem=strict
ProtectControlGroups=true #ProtectControlGroups=true
RestrictSUIDSGID=true #RestrictSUIDSGID=true
RestrictRealtime=true #RestrictRealtime=true
LockPersonality=true #LockPersonality=true
ProtectKernelLogs=true #ProtectKernelLogs=true
ProtectKernelTunables=true #ProtectKernelTunables=true
ProtectHostname=true #ProtectHostname=true
ProtectKernelModules=true #ProtectKernelModules=true
PrivateUsers=true #PrivateUsers=true
ProtectClock=true #ProtectClock=true
SystemCallArchitectures=native #SystemCallArchitectures=native
SystemCallErrorNumber=EPERM #SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service #SystemCallFilter=@system-service
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -17,6 +17,8 @@ services:
- POSTGRES_PASSWORD=${PG_PASS:?database password required} - POSTGRES_PASSWORD=${PG_PASS:?database password required}
- POSTGRES_USER=${PG_USER:-authentik} - POSTGRES_USER=${PG_USER:-authentik}
- POSTGRES_DB=${PG_DB:-authentik} - POSTGRES_DB=${PG_DB:-authentik}
networks:
- authentik_net
env_file: env_file:
- .env - .env
redis: redis:
@ -31,6 +33,8 @@ services:
timeout: 3s timeout: 3s
volumes: volumes:
- {{ docker_volumes_dir }}/authentik/redis:/data - {{ docker_volumes_dir }}/authentik/redis:/data
networks:
- authentik_net
server: server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3} image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3}
restart: unless-stopped restart: unless-stopped
@ -49,6 +53,9 @@ services:
- {{ docker_volumes_dir }}/authentik/media:/media - {{ docker_volumes_dir }}/authentik/media:/media
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates - {{ docker_volumes_dir }}/authentik/custom-templates:/templates
- {{ docker_volumes_dir }}/authentik/geoip:/geoip - {{ docker_volumes_dir }}/authentik/geoip:/geoip
networks:
- authentik_net
- nginx_net
env_file: env_file:
- .env - .env
expose: expose:
@ -77,12 +84,16 @@ services:
- {{ docker_volumes_dir }}/authentik/certs:/certs - {{ docker_volumes_dir }}/authentik/certs:/certs
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates - {{ docker_volumes_dir }}/authentik/custom-templates:/templates
- {{ docker_volumes_dir }}/authentik/geoip:/geoip - {{ docker_volumes_dir }}/authentik/geoip:/geoip
networks:
- authentik_net
env_file: env_file:
- .env - .env
geoipupdate: geoipupdate:
image: "maxmindinc/geoipupdate:latest" image: "maxmindinc/geoipupdate:latest"
volumes: volumes:
- "{{ docker_volumes_dir }}/authentik/geoip:/usr/share/GeoIP" - "{{ docker_volumes_dir }}/authentik/geoip:/usr/share/GeoIP"
networks:
- authentik_net
environment: environment:
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City" GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
GEOIPUPDATE_FREQUENCY: "8" GEOIPUPDATE_FREQUENCY: "8"
@ -96,3 +107,11 @@ volumes:
driver: local driver: local
geoip: geoip:
driver: local driver: local
networks:
authentik_net:
external: false
name: authentik_net
nginx_net:
external: true
name: nginx_net