Refactor Authelia database configuration to use environment variables for improved security and flexibility; add Duplicati service for encrypted cloud backup.

2025-12-02 05:48:54 +01:00
parent 9ac7fefb3d
commit 96e3c80ffb
3 changed files with 43 additions and 4 deletions
--- a/authelia/configuration.template.yml
+++ b/authelia/configuration.template.yml
@@ -35,8 +35,9 @@ session:
 storage:
  postgres:
    address: 'tcp://authelia-db:5432'
-    database: 'authelia'
-    username: 'authelia'
+    database: '${AUTHELIA_DB_NAME}'
+    username: '${AUTHELIA_DB_USER}'
+    password: '${AUTHELIA_DB_PASSWORD}'

 notifier:
  disable_startup_check: true
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -37,6 +37,7 @@ storage:
    address: 'tcp://authelia-db:5432'
    database: 'authelia'
    username: 'authelia'
+    password: 'p/6EGIgTxPndniwUCY54G7q5jOPqXofF'

 notifier:
  disable_startup_check: true
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,6 +16,7 @@ volumes:
  beszel_data:
  gitea_data:
  gitea_db_data:
+  duplicati_config:

 ########################
 # Services
@@ -149,6 +150,9 @@ services:
      TZ: "${TZ}"
      DOMAIN: "${DOMAIN}"
      DOMAIN_PREFIX: "${DOMAIN_PREFIX}"
+      AUTHELIA_DB_NAME: "${AUTHELIA_DB_NAME}"
+      AUTHELIA_DB_USER: "${AUTHELIA_DB_USER}"
+      AUTHELIA_DB_PASSWORD: "${AUTHELIA_DB_PASSWORD}"
      AUTHELIA_SESSION_SECRET: '${AUTHELIA_SESSION_SECRET}'
      AUTHELIA_STORAGE_ENCRYPTION_KEY: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}'
      AUTHELIA_STORAGE_POSTGRES_PASSWORD: '${AUTHELIA_DB_PASSWORD}'
@@ -173,8 +177,8 @@ services:
    restart: unless-stopped
    networks: [traefik_proxy]
    environment:
-      POSTGRES_DB: authelia
-      POSTGRES_USER: authelia
+      POSTGRES_DB: ${AUTHELIA_DB_NAME}
+      POSTGRES_USER: ${AUTHELIA_DB_USER}
      POSTGRES_PASSWORD: ${AUTHELIA_DB_PASSWORD}
    volumes:
      - authelia_db_data:/var/lib/postgresql/data
@@ -348,6 +352,8 @@ services:
      - GITEA__server__SSH_LISTEN_PORT=22
      - GITEA__security__SECRET_KEY=${GITEA_SECRET_KEY}
      - GITEA__security__INTERNAL_TOKEN=${GITEA_INTERNAL_TOKEN}
+      - GITEA__i18n__LANGS=en-US
+      - GITEA__i18n__NAMES=English
    volumes:
      - gitea_data:/data
      - /etc/timezone:/etc/timezone:ro
@@ -390,3 +396,34 @@ services:
      timeout: 10s
      retries: 3
      start_period: 30s
+
+  ## ─────────────────────────────────────────────
+  ## Duplicati — encrypted cloud backup
+  ## ─────────────────────────────────────────────
+  duplicati:
+    image: lscr.io/linuxserver/duplicati:latest
+    container_name: duplicati
+    restart: unless-stopped
+    networks: [traefik_proxy]
+    environment:
+      - PUID=0
+      - PGID=0
+      - TZ=${TZ}
+      - SETTINGS_ENCRYPTION_KEY=${DUPLICATI_ENCRYPTION_KEY}
+      - CLI_ARGS=--webservice-allowed-hostnames=* --webservice-password=${DUPLICATI_PASSWORD}
+    volumes:
+      - duplicati_config:/config
+      - /:/source:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.duplicati.rule=Host(`backup.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.duplicati.entrypoints=websecure"
+      - "traefik.http.routers.duplicati.tls.certresolver=le"
+      - "traefik.http.routers.duplicati.middlewares=security-headers@docker"
+      - "traefik.http.services.duplicati.loadbalancer.server.port=8200"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8200"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s