199 lines
5.1 KiB
Markdown
199 lines
5.1 KiB
Markdown
# Authelia DuckDNS & Traefik based Arcane Registry
|
|
|
|
## Approach
|
|
|
|
Authelia provides single sign on authentication
|
|
DuckDNS provides free sub domain redirects, and letsencrypt certificates (domain and wildcard)
|
|
|
|
Traefik routes based on labels for services running on the same server
|
|
Traefik routes based on remote-host.yaml files for services NOT running on the same server.
|
|
|
|
Each docker-compose.yml & .env file template includes templated labels to easily configure traefik routing.
|
|
|
|
>***Tip:*** **Create the following variables in .env.global**
|
|
>* TZ=America/New_York
|
|
>* PUID=1000
|
|
>* PGID=1000
|
|
>* SERVER_NAME=
|
|
>* SERVER_IP=
|
|
>* SUBDOMAIN=
|
|
>
|
|
> Then you can simply remove them from the .env file instead of filling in the values every time.
|
|
|
|
To disable Authelia for a specific site (like Jellyfin): Comment out this line in the compose file `- ${AUTHELIA_LABEL}`
|
|
|
|
## Deploying a new server? Start with the core stack
|
|
|
|
## Compose file template
|
|
|
|
```bash
|
|
services:
|
|
SERVICE_NAME:
|
|
image:
|
|
container_name:
|
|
restart: unless-stopped
|
|
networks:
|
|
- homelab-network
|
|
- traefik-network
|
|
ports:
|
|
- ${EXTERNAL_PORT}:${INTERNAL_PORT}
|
|
volumes:
|
|
- ./data:/data
|
|
- ./config:/config
|
|
environment:
|
|
- TZ=${TZ}
|
|
- PUID=${PUID}
|
|
- PGID=${PGID}
|
|
healthcheck:
|
|
test: ['CMD', 'wget', '--quiet', '--tries=1', '--spider', 'http://localhost:9898/']
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 30s
|
|
labels:
|
|
- com.getarcaneapp.arcane.icon=${ICON_URL}
|
|
- ${HOST_LABEL}
|
|
- ${LOADBALANCER_LABEL}
|
|
- ${WATCHTOWER_ENABLE_LABEL}
|
|
- ${TRAEFIK_ENABLE_LABEL}
|
|
- ${TRAEFIK_NETWORK_LABEL}
|
|
- ${ENTRYPOINT_LABEL}
|
|
- ${CERT_LABEL}
|
|
- ${AUTHELIA_LABEL}
|
|
|
|
networks:
|
|
homelab-network:
|
|
external: true
|
|
traefik-network:
|
|
external: true
|
|
|
|
x-dockge:
|
|
urls:
|
|
- https://${PROXY_URL}
|
|
- ${LOCAL_URL}
|
|
|
|
x-arcane:
|
|
icon: ${ICON_URL}
|
|
urls:
|
|
- https://${PROXY_URL}
|
|
- ${LOCAL_URL}
|
|
|
|
```
|
|
|
|
## .env template
|
|
|
|
```bash
|
|
# #######################################################
|
|
# Templating variables, not used by compose file directly
|
|
SERVER_NAME=
|
|
SERVER_IP=
|
|
SUBDOMAIN=
|
|
SERVICE_NAME=
|
|
ICON_URL=https://cdn.jsdelivr.net/gh/selfhst/icons@main/svg/${SERVICE_NAME}.svg
|
|
|
|
# Include Server Name in Proxy URL? Choose one.
|
|
|
|
# PROXY_URL=${SERVICE_NAME}.${SERVER_NAME}.${SUBDOMAIN}.duckdns.org
|
|
PROXY_URL=${SERVICE_NAME}.${SUBDOMAIN}.duckdns.org
|
|
|
|
|
|
# #############################################################################
|
|
# Compose file variables
|
|
|
|
TZ=America/New_York
|
|
PUID=1000
|
|
PGID=1000
|
|
|
|
CONTAINER_NAME=${SERVICE_NAME}
|
|
INTERNAL_PORT=8081
|
|
EXTERNAL_PORT=8099
|
|
LOCAL_URL=http://${SERVER_IP}:${EXTERNAL_PORT}
|
|
|
|
|
|
# #############################################################
|
|
# Container Labels
|
|
|
|
# DO NOT enclose label values in single quotes
|
|
# If the value needs to include single quotes use backticks instead
|
|
|
|
# For example HOST_LABEL=traefik.http.routers.${SERVICE_NAME}.rule=Host(`${PROXY_URL}`)
|
|
# Notice the use of backticks instead of single quotes around ${PROXY_URL}
|
|
|
|
TRAEFIK_ENABLE_LABEL=traefik.enable=true
|
|
HOST_LABEL=traefik.http.routers.${SERVICE_NAME}.rule=Host(`${PROXY_URL}`)
|
|
ICON_LABEL=com.getarcaneapp.arcane.icon=${ICON_URL}
|
|
LOADBALANCER_LABEL=traefik.http.services.${SERVICE_NAME}.loadbalancer.server.port=${INTERNAL_PORT}
|
|
|
|
TRAEFIK_NETWORK_LABEL=traefik.docker.network=traefik-network
|
|
ENTRYPOINT_LABEL=traefik.http.routers.${SERVICE_NAME}.entrypoints=websecure
|
|
CERT_LABEL=traefik.http.routers.${SERVICE_NAME}.tls.certresolver=letsencrypt
|
|
|
|
AUTHELIA_LABEL=traefik.http.routers.${SERVICE_NAME}.middlewares=authelia@docker
|
|
WATCHTOWER_ENABLE_LABEL=com.centurylinklabs.watchtower.enable=true
|
|
```
|
|
|
|
## Traefik remote server yaml files
|
|
|
|
When Traefik is on a different server
|
|
|
|
* labels in compose files are ignored (remove to avoid confussion)
|
|
|
|
* The routers and services must be included in a yaml file under traefik/dynamic
|
|
|
|
> **VARIABLES MUST BE REPLACED BY THE ACTUAL VALUES - The files in traefik/dynamic do NOT have access to the env variables**
|
|
***Tip:*** **Use find/replace in your text editor**
|
|
|
|
```yaml
|
|
http:
|
|
routers:
|
|
|
|
${SERVICE_NAME}-${SERVER_NAME}:
|
|
rule: "Host(`${SERVICE_NAME}$.${DOMAIN}`)"
|
|
service: ${SERVICE_NAME}-${SERVER_NAME}-service
|
|
entrypoints:
|
|
- websecure
|
|
tls:
|
|
certResolver: letsencrypt
|
|
middlewares:
|
|
- authelia@docker
|
|
|
|
|
|
services:
|
|
|
|
${SERVICE_NAME}-${SERVER_NAME}-service:
|
|
loadBalancer:
|
|
servers:
|
|
- url: "http://${SERVER_IP}:${EXTERNAL_PORT}"
|
|
passHostHeader: true
|
|
|
|
```
|
|
|
|
Filename doesn't technically matter, but it is recomended to either
|
|
|
|
* create a file for each service named like `service-server_name-remote-host.yaml`
|
|
|
|
* OR Create a single file per server like `server_name-remote-host.yaml`
|
|
|
|
|
|
## Docker Compose Templates
|
|
|
|
* Core
|
|
* Authelia
|
|
* DuckDNS (no webui)
|
|
* Traefik
|
|
|
|
* Backrest
|
|
* Bookstack
|
|
* Calibre-web
|
|
* Docker-proxy (no webui)
|
|
* Dokuwiki
|
|
* Dozzle
|
|
* Gitea
|
|
* Glances
|
|
* Homarr
|
|
* Homepage
|
|
* Jupyter
|
|
* Mealie (No Authelia middleware)
|
|
* Sablier (no webui)
|
|
* Valutwarden (No Authelia middleware)
|
|
* Watchtower (no webui) |