Add Authelia configuration and user database; remove Prometheus and Grafana services
This commit is contained in:
Mohmmed Elfateh Sabry
@@ -4,8 +4,6 @@
|
||||
networks:
|
||||
traefik_proxy:
|
||||
name: traefik_proxy
|
||||
monitoring:
|
||||
name: monitoring
|
||||
internal:
|
||||
name: internal
|
||||
|
||||
@@ -13,8 +11,6 @@ volumes:
|
||||
traefik_letsencrypt:
|
||||
traefik_logs:
|
||||
portainer_data:
|
||||
prometheus_data:
|
||||
grafana_data:
|
||||
uptime_kuma_data:
|
||||
|
||||
########################
|
||||
@@ -32,7 +28,7 @@ services:
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
networks: [traefik_proxy, monitoring]
|
||||
networks: [traefik_proxy]
|
||||
environment:
|
||||
TZ: "${TZ}"
|
||||
command:
|
||||
@@ -59,10 +55,6 @@ services:
|
||||
# (Alt) Use TLS-ALPN-01 if port 80 is blocked:
|
||||
# - --certificatesresolvers.le.acme.tlschallenge=true
|
||||
|
||||
# Metrics (Prometheus)
|
||||
- --metrics.prometheus=true
|
||||
- --metrics.prometheus.addrouterslabels=true
|
||||
|
||||
# Global timeouts for slow backends
|
||||
- --serversTransport.forwardingTimeouts.dialTimeout=30s
|
||||
- --serversTransport.forwardingTimeouts.responseHeaderTimeout=60s
|
||||
@@ -111,9 +103,33 @@ services:
|
||||
- traefik.http.routers.portainer.rule=Host(`portainer.gate.${DOMAIN}`)
|
||||
- traefik.http.routers.portainer.entrypoints=websecure
|
||||
- traefik.http.routers.portainer.tls.certresolver=le
|
||||
- traefik.http.routers.portainer.middlewares=security-headers
|
||||
- traefik.http.routers.portainer.middlewares=authelia,security-headers
|
||||
- traefik.http.services.portainer.loadbalancer.server.port=9000
|
||||
|
||||
## ─────────────────────────────────────────────
|
||||
## Authelia — authentication and authorization
|
||||
## ─────────────────────────────────────────────
|
||||
authelia:
|
||||
image: authelia/authelia:latest
|
||||
container_name: authelia
|
||||
restart: unless-stopped
|
||||
networks: [traefik_proxy, internal]
|
||||
volumes:
|
||||
- ./authelia:/config
|
||||
environment:
|
||||
TZ: "${TZ}"
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`)
|
||||
- traefik.http.routers.authelia.entrypoints=websecure
|
||||
- traefik.http.routers.authelia.tls.certresolver=le
|
||||
- traefik.http.routers.authelia.middlewares=security-headers
|
||||
|
||||
# ForwardAuth middleware for protecting other services
|
||||
- traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth
|
||||
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
|
||||
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name
|
||||
|
||||
## ─────────────────────────────────────────────
|
||||
## Uptime Kuma — status page / checks
|
||||
## ─────────────────────────────────────────────
|
||||
@@ -129,69 +145,5 @@ services:
|
||||
- traefik.http.routers.kuma.rule=Host(`uptime.gate.${DOMAIN}`)
|
||||
- traefik.http.routers.kuma.entrypoints=websecure
|
||||
- traefik.http.routers.kuma.tls.certresolver=le
|
||||
- traefik.http.routers.kuma.middlewares=security-headers
|
||||
- traefik.http.routers.kuma.middlewares=authelia,security-headers
|
||||
- traefik.http.services.kuma.loadbalancer.server.port=3001
|
||||
|
||||
## ─────────────────────────────────────────────
|
||||
## Prometheus + exporters + Grafana
|
||||
## ─────────────────────────────────────────────
|
||||
prometheus:
|
||||
image: prom/prometheus:latest
|
||||
container_name: prometheus
|
||||
restart: unless-stopped
|
||||
networks: [monitoring, traefik_proxy]
|
||||
volumes:
|
||||
- prometheus_data:/prometheus
|
||||
- ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.prom.rule=Host(`prometheus.gate.${DOMAIN}`)
|
||||
- traefik.http.routers.prom.entrypoints=websecure
|
||||
- traefik.http.routers.prom.tls.certresolver=le
|
||||
- traefik.http.routers.prom.middlewares=security-headers
|
||||
- traefik.http.services.prom.loadbalancer.server.port=9090
|
||||
|
||||
cadvisor:
|
||||
image: gcr.io/cadvisor/cadvisor:latest
|
||||
container_name: cadvisor
|
||||
restart: unless-stopped
|
||||
networks: [monitoring]
|
||||
devices:
|
||||
- /dev/kmsg:/dev/kmsg
|
||||
volumes:
|
||||
- /:/rootfs:ro
|
||||
- /var/run:/var/run:ro
|
||||
- /sys:/sys:ro
|
||||
- /var/lib/docker/:/var/lib/docker:ro
|
||||
|
||||
node-exporter:
|
||||
image: prom/node-exporter:latest
|
||||
container_name: node-exporter
|
||||
restart: unless-stopped
|
||||
networks: [monitoring]
|
||||
pid: host
|
||||
volumes:
|
||||
- /proc:/host/proc:ro
|
||||
- /sys:/host/sys:ro
|
||||
- /:/rootfs:ro
|
||||
command: ["--path.rootfs=/rootfs"]
|
||||
|
||||
grafana:
|
||||
image: grafana/grafana-oss:latest
|
||||
container_name: grafana
|
||||
restart: unless-stopped
|
||||
networks: [traefik_proxy, monitoring]
|
||||
environment:
|
||||
GF_SECURITY_ADMIN_USER: "${GRAFANA_ADMIN_USER}"
|
||||
GF_SECURITY_ADMIN_PASSWORD: "${GRAFANA_ADMIN_PASS}"
|
||||
GF_SERVER_ROOT_URL: https://grafana.gate.${DOMAIN}
|
||||
TZ: "${TZ}"
|
||||
volumes:
|
||||
- grafana_data:/var/lib/grafana
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.grafana.rule=Host(`grafana.gate.${DOMAIN}`)
|
||||
- traefik.http.routers.grafana.entrypoints=websecure
|
||||
- traefik.http.routers.grafana.tls.certresolver=le
|
||||
- traefik.http.routers.grafana.middlewares=security-headers
|
||||
- traefik.http.services.grafana.loadbalancer.server.port=3000
|
||||
|
||||
Reference in New Issue
Block a user