Refactor Authelia database configuration to use environment variables for improved security and flexibility; add Duplicati service for encrypted cloud backup.

2025-12-02 05:48:54 +01:00
parent 9ac7fefb3d
commit 96e3c80ffb
3 changed files with 43 additions and 4 deletions
--- a/authelia/configuration.template.yml
+++ b/authelia/configuration.template.yml
@@ -35,8 +35,9 @@ session:
 storage:
  postgres:
    address: 'tcp://authelia-db:5432'
-    database: 'authelia'
+    database: '${AUTHELIA_DB_NAME}'
-    username: 'authelia'
+    username: '${AUTHELIA_DB_USER}'
    password: '${AUTHELIA_DB_PASSWORD}'
 notifier:
  disable_startup_check: true
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -37,6 +37,7 @@ storage:
    address: 'tcp://authelia-db:5432'
    database: 'authelia'
    username: 'authelia'
    password: 'p/6EGIgTxPndniwUCY54G7q5jOPqXofF'
 notifier:
  disable_startup_check: true
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,6 +16,7 @@ volumes:
  beszel_data:
  gitea_data:
  gitea_db_data:
  duplicati_config:
 ########################
 # Services
@@ -149,6 +150,9 @@ services:
      TZ: "${TZ}"
      DOMAIN: "${DOMAIN}"
      DOMAIN_PREFIX: "${DOMAIN_PREFIX}"
      AUTHELIA_DB_NAME: "${AUTHELIA_DB_NAME}"
      AUTHELIA_DB_USER: "${AUTHELIA_DB_USER}"
      AUTHELIA_DB_PASSWORD: "${AUTHELIA_DB_PASSWORD}"
      AUTHELIA_SESSION_SECRET: '${AUTHELIA_SESSION_SECRET}'
      AUTHELIA_STORAGE_ENCRYPTION_KEY: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}'
      AUTHELIA_STORAGE_POSTGRES_PASSWORD: '${AUTHELIA_DB_PASSWORD}'
@@ -173,8 +177,8 @@ services:
    restart: unless-stopped
    networks: [traefik_proxy]
    environment:
-      POSTGRES_DB: authelia
+      POSTGRES_DB: ${AUTHELIA_DB_NAME}
-      POSTGRES_USER: authelia
+      POSTGRES_USER: ${AUTHELIA_DB_USER}
      POSTGRES_PASSWORD: ${AUTHELIA_DB_PASSWORD}
    volumes:
      - authelia_db_data:/var/lib/postgresql/data
@@ -348,6 +352,8 @@ services:
      - GITEA__server__SSH_LISTEN_PORT=22
      - GITEA__security__SECRET_KEY=${GITEA_SECRET_KEY}
      - GITEA__security__INTERNAL_TOKEN=${GITEA_INTERNAL_TOKEN}
      - GITEA__i18n__LANGS=en-US
      - GITEA__i18n__NAMES=English
    volumes:
      - gitea_data:/data
      - /etc/timezone:/etc/timezone:ro
@@ -390,3 +396,34 @@ services:
      timeout: 10s
      retries: 3
      start_period: 30s
  ## ─────────────────────────────────────────────
  ## Duplicati — encrypted cloud backup
  ## ─────────────────────────────────────────────
  duplicati:
    image: lscr.io/linuxserver/duplicati:latest
    container_name: duplicati
    restart: unless-stopped
    networks: [traefik_proxy]
    environment:
      - PUID=0
      - PGID=0
      - TZ=${TZ}
      - SETTINGS_ENCRYPTION_KEY=${DUPLICATI_ENCRYPTION_KEY}
      - CLI_ARGS=--webservice-allowed-hostnames=* --webservice-password=${DUPLICATI_PASSWORD}
    volumes:
      - duplicati_config:/config
      - /:/source:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.duplicati.rule=Host(`backup.${DOMAIN_PREFIX}.${DOMAIN}`)"
      - "traefik.http.routers.duplicati.entrypoints=websecure"
      - "traefik.http.routers.duplicati.tls.certresolver=le"
      - "traefik.http.routers.duplicati.middlewares=security-headers@docker"
      - "traefik.http.services.duplicati.loadbalancer.server.port=8200"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8200"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s