diff --git a/swarm/authentik.yaml b/swarm/authentik.yaml index d0cb518..1d4235d 100644 --- a/swarm/authentik.yaml +++ b/swarm/authentik.yaml @@ -1,7 +1,6 @@ services: postgresql: image: docker.io/library/postgres:16-alpine - restart: unless-stopped healthcheck: test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] start_period: 20s @@ -15,22 +14,24 @@ services: POSTGRES_USER: authentik POSTGRES_DB: authentik TZ: America/Chicago - PGID: 998 - PUID: 1001 - UMASK: 002 networks: - authentik deploy: placement: constraints: - node.hostname == znas - + labels: + gremlin.uid.exempt: "true" + gremlin.uid.reason: "Postgres manages its own internal users" + gremlin.caddy.skip: "true" + gremlin.homepage.skip: "true" + gremlin.monitor.skip: "true" + gremlin.network.skip: "true" redis: image: docker.io/library/redis:alpine user: "1964:1964" command: --save 60 1 --loglevel warning - restart: unless-stopped healthcheck: test: ["CMD-SHELL", "redis-cli ping | grep PONG"] start_period: 20s @@ -39,9 +40,6 @@ services: timeout: 3s environment: TZ: America/Chicago - PGID: 998 - PUID: 1001 - UMASK: 002 volumes: - /DockerVol/Authentik/redis:/data networks: @@ -50,12 +48,17 @@ services: placement: constraints: - node.hostname == znas - + labels: + gremlin.uid.exempt: "true" + gremlin.uid.reason: "Redis manages its own internal users" + gremlin.caddy.skip: "true" + gremlin.homepage.skip: "true" + gremlin.monitor.skip: "true" + gremlin.network.skip: "true" authentik: image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2} user: "1964:1964" - restart: unless-stopped command: server environment: AUTHENTIK_REDIS__HOST: redis @@ -65,9 +68,6 @@ services: AUTHENTIK_POSTGRESQL__PASSWORD: F@lcon13 AUTHENTIK_SECRET_KEY: g8JIvopgkcpIeRUKgfT5KwHFUwGNBFobwhHMHx08wPTJTtAlmqllAwmr6u4jk+ng8O1gbV/gwZnYylMn TZ: America/Chicago - PGID: 998 - PUID: 1001 - UMASK: 002 volumes: - /DockerVol/Authentik/media:/media - /DockerVol/Authentik/custom-templates:/templates @@ -82,23 +82,29 @@ services: constraints: - node.hostname == znas labels: + caddy: auth.netgrimoire.com + caddy.reverse_proxy: authentik:9000 + caddy.import_1: crowdsec + caddy.import_2: authentik + homepage.group: Management homepage.name: Authentik homepage.icon: authentik.png homepage.href: https://auth.netgrimoire.com homepage.description: Account Manager - kuma.auth.http.name: Authentik - kuma.auth.http.url: http://authentik:9000 - caddy: auth.netgrimoire.com - caddy.reverse_proxy: {{upstreams 9000}} - depends_on: - - postgresql - - redis + + monitor.name: Authentik + monitor.url: https://auth.netgrimoire.com + + diun.enable: "true" + + gremlin.uid.exempt: "true" + gremlin.uid.reason: "Authentik server runs as 1964:1964 via user: directive" + gremlin.context: "docker.sock on worker is required for Authentik outpost management" worker: image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2} user: "1964:1964" - restart: unless-stopped command: worker environment: AUTHENTIK_REDIS__HOST: redis @@ -108,9 +114,6 @@ services: AUTHENTIK_POSTGRESQL__PASSWORD: F@lcon13 AUTHENTIK_SECRET_KEY: g8JIvopgkcpIeRUKgfT5KwHFUwGNBFobwhHMHx08wPTJTtAlmqllAwmr6u4jk+ng8O1gbV/gwZnYylMn TZ: America/Chicago - PGID: 998 - PUID: 1001 - UMASK: 002 volumes: - /var/run/docker.sock:/var/run/docker.sock - /DockerVol/Authentik/media:/media @@ -118,16 +121,21 @@ services: - /DockerVol/Authentik/custom-templates:/templates networks: - authentik - depends_on: - - postgresql - - redis deploy: placement: constraints: - node.hostname == znas + labels: + gremlin.uid.exempt: "true" + gremlin.uid.reason: "Authentik worker runs as 1964:1964 via user: directive" + gremlin.caddy.skip: "true" + gremlin.homepage.skip: "true" + gremlin.monitor.skip: "true" + gremlin.network.skip: "true" + gremlin.context: "docker.sock mount is required for Authentik outpost management" networks: netgrimoire: external: true authentik: - external: true + external: true \ No newline at end of file