aki/docker-compose-nas
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth): Add additional service authentication settings in .env.example and update docker-compose.yml for conditional middlewares
Some checks failed
/ validate-docker-compose (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Jose Daniel G. Percy 2025-04-26 01:32:13 +08:00
parent 6d2baa7300
commit 2fadb08c72
2 changed files with 38 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.env.example
View File

@ -14,6 +14,22 @@ GROUP_ID=1000
# Your local timezone (e.g., America/New_York, Europe/London, Asia/Manila). See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
TIMEZONE="America/New_York"
# --- Authentication Settings ---
# Control which services require Authelia authentication (true/false)
# Set to 'false' to disable authentication for specific services
AUTH_SONARR=true
AUTH_RADARR=true
AUTH_BAZARR=true
AUTH_PROWLARR=true
AUTH_JELLYSEERR=true
AUTH_QBITTORRENT=true
AUTH_LIDARR=true
AUTH_JELLYFIN=false
AUTH_HOMEPAGE=true
AUTH_FLARESOLVERR=true
AUTH_SABNZBD=true
AUTH_CALIBRE=true
# --- Host Paths ---
# Base directory on host for storing service configuration files. '.' stores them in subdirectories within the project folder.
CONFIG_ROOT="."

62
docker-compose.yml
View File

@ -13,14 +13,11 @@ services:
- --experimental.plugins.rewrite-body.version=v1.2.0
- --experimental.plugins.rewriteHeaders.modulename=github.com/XciD/traefik-plugin-rewrite-headers
- --experimental.plugins.rewriteHeaders.version=v0.0.3
network_mode: service:tailscale # Add this line
# ports: # Remove this section
# - "80:80"
# - "443:443"
- --providers.docker.network=docker-compose-nas
- --providers.docker.endpoint=unix:///var/run/docker.sock
network_mode: service:tailscale
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
# extra_hosts: # Remove this section
# - host.docker.internal:172.17.0.1
healthcheck:
test: ["CMD", "traefik", "healthcheck", "--ping"]
interval: 30s
@ -31,11 +28,11 @@ services:
restart: always
environment:
- REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD}
command: ["redis-server", "--requirepass", "${AUTHELIA_REDIS_PASSWORD}"] # Use actual password variable
command: ["redis-server", "--requirepass", "${AUTHELIA_REDIS_PASSWORD}"]
volumes:
- ${CONFIG_ROOT:-.}/redis:/data:Z
healthcheck:
test: ["CMD", "redis-cli", "-a", "${AUTHELIA_REDIS_PASSWORD}", "ping"] # Use actual password variable
test: ["CMD", "redis-cli", "-a", "${AUTHELIA_REDIS_PASSWORD}", "ping"]
interval: 5s
timeout: 3s
retries: 5
@ -47,27 +44,21 @@ services:
volumes:
- ${CONFIG_ROOT:-.}/authelia:/config:Z
environment:
# Core secrets
- AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
- AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
- AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
- AUTHELIA_SESSION_REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD}
# Only environment variable needed for identity validation
- AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET=${AUTHELIA_JWT_SECRET}
# Timezone
- TZ=${TIMEZONE}
labels:
- traefik.enable=true
# Rule for Authelia portal itself (handles internal paths like /api, /logout etc.)
- traefik.http.routers.authelia.rule=PathPrefix(`/`)
- traefik.http.routers.authelia.entrypoints=web
- traefik.http.routers.authelia.priority=100 # High priority to catch root path
- traefik.http.routers.authelia.priority=100
- traefik.http.services.authelia.loadbalancer.server.port=9091
# Define the forwardAuth middleware
- traefik.http.middlewares.authelia-auth.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${APP_HOSTNAME}/
- traefik.http.middlewares.authelia-auth.forwardAuth.trustForwardHeader=true
- traefik.http.middlewares.authelia-auth.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
# Homepage labels for Authelia itself
- homepage.group=Security
- homepage.name=Authelia
- homepage.icon=authelia.png
@ -92,8 +83,11 @@ services:
- traefik.enable=true
- traefik.http.routers.sonarr.rule=PathPrefix(`/sonarr`)
- traefik.http.routers.sonarr.entrypoints=web
- traefik.http.routers.sonarr.middlewares=authelia-auth@docker
- traefik.http.routers.sonarr.middlewares=${AUTH_SONARR:-true}
- traefik.http.services.sonarr.loadbalancer.server.port=8989
# Add conditional middlewares
- traefik.http.middlewares.true.chain.middlewares=authelia-auth@docker
- traefik.http.middlewares.false.chain.middlewares=
- homepage.group=Media
- homepage.name=Sonarr
- homepage.icon=sonarr.png
@ -122,7 +116,7 @@ services:
- traefik.enable=true
- traefik.http.routers.radarr.rule=PathPrefix(`/radarr`)
- traefik.http.routers.radarr.entrypoints=web
- traefik.http.routers.radarr.middlewares=authelia-auth@docker
- traefik.http.routers.radarr.middlewares=${AUTH_RADARR:-true}
- traefik.http.services.radarr.loadbalancer.server.port=7878
- homepage.group=Media
- homepage.name=Radarr
@ -184,7 +178,7 @@ services:
- traefik.enable=true
- traefik.http.routers.bazarr.rule=PathPrefix(`/bazarr`)
- traefik.http.routers.bazarr.entrypoints=web
- traefik.http.routers.bazarr.middlewares=authelia-auth@docker
- traefik.http.routers.bazarr.middlewares=${AUTH_BAZARR:-true}
- traefik.http.services.bazarr.loadbalancer.server.port=6767
- homepage.group=Download
- homepage.name=Bazarr
@ -335,8 +329,6 @@ services:
- ${DOWNLOAD_ROOT}:/data/torrents:Z
restart: always
healthcheck:
# Container may fail if the PIA's token expired, so mark as unhealthy when there is no internet connection
# see: https://github.com/qdm12/gluetun/issues/641#issuecomment-933856220
test:
["CMD", "curl", "--fail", "http://127.0.0.1:8080", "https://google.com"]
interval: 30s
@ -347,13 +339,10 @@ services:
- traefik.http.routers.qbittorrent.entrypoints=web
- traefik.http.services.qbittorrent.loadbalancer.server.port=8080
- traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix,authelia-auth@docker
# https://github.com/qbittorrent/qBittorrent/issues/5693#issuecomment-552146296
- traefik.http.middlewares.qbittorrent-stripprefix.stripPrefix.prefixes=/qbittorrent
# https://community.traefik.io/t/middleware-to-add-the-if-needed/1895/19
- traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.regex=(^.*\/qbittorrent$$)
- traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.replacement=$$1/
- traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.permanent=false
#- com.centurylinklabs.watchtower.depends-on=/vpn
- homepage.group=Download
- homepage.name=qBittorrent
- homepage.icon=qbittorrent.png
@ -392,7 +381,7 @@ services:
restart: always
labels:
- traefik.enable=true
- traefik.http.routers.sabnzbd.rule=PathPrefix(`/sabnzbd`) # Simplified rule
- traefik.http.routers.sabnzbd.rule=PathPrefix(`/sabnzbd`)
- traefik.http.routers.sabnzbd.entrypoints=web
- traefik.http.routers.sabnzbd.middlewares=authelia-auth@docker
- traefik.http.services.sabnzbd.loadbalancer.server.port=8080
@ -523,7 +512,6 @@ services:
- HOMEPAGE_VAR_WEATHER_LONG=${HOMEPAGE_VAR_WEATHER_LONG}
- HOMEPAGE_VAR_WEATHER_TIME=${TIMEZONE}
- HOMEPAGE_VAR_WEATHER_UNIT=${HOMEPAGE_VAR_WEATHER_UNIT}
# Explicitly allow the hostname constructed from Tailscale variables
- HOMEPAGE_ALLOWED_HOSTS=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}
volumes:
- ${CONFIG_ROOT:-.}/homepage:/app/config:Z
@ -534,17 +522,15 @@ services:
[sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"]
labels:
- traefik.enable=true
# Rule for homepage, now at /home, needs auth
- traefik.http.routers.homepage.rule=PathPrefix(`/home`)
- traefik.http.routers.homepage.entrypoints=web
- traefik.http.routers.homepage.priority=10 # Lower priority than Authelia's root rule
- traefik.http.routers.homepage.priority=10
- traefik.http.middlewares.homepage-stripprefix.stripPrefix.prefixes=/home
- traefik.http.routers.homepage.middlewares=homepage-stripprefix,authelia-auth@docker
# Homepage's own labels for discovery (unchanged)
- homepage.group=Dashboard
- homepage.name=Homepage
- homepage.icon=homepage.png
- homepage.href=/home # Update link to new path
- homepage.href=/home
- homepage.description=Service Dashboard
watchtower:
image: ghcr.io/containrrr/watchtower:latest
@ -565,23 +551,22 @@ services:
tailscale:
image: tailscale/tailscale:latest
container_name: tailscale
hostname: ${TAILSCALE_HOSTNAME:-tailscale-nas} # Hostname for Tailscale access
hostname: ${TAILSCALE_HOSTNAME:-tailscale-nas}
environment:
TS_AUTHKEY: ${TAILSCALE_AUTHKEY} # Needs to be set in .env
TS_EXTRA_ARGS: "--advertise-tags=${TAILSCALE_TAGS:-tag:nas}" # Keep tags if desired
TS_AUTHKEY: ${TAILSCALE_AUTHKEY}
TS_EXTRA_ARGS: "--advertise-tags=${TAILSCALE_TAGS:-tag:nas}"
TS_STATE_DIR: "/var/lib/tailscale"
TS_USERSPACE: "false"
# Switch to enable Funnel (public access) or Serve (Tailnet only)
ENABLE_FUNNEL_HTTPS: ${ENABLE_FUNNEL_HTTPS:-false}
volumes:
- ${CONFIG_ROOT:-.}/tailscale/state:/var/lib/tailscale:Z # Persist state
- /var/run/docker.sock:/var/run/docker.sock # Optional, keep if needed
- ${CONFIG_ROOT:-.}/tailscale/state:/var/lib/tailscale:Z
- /var/run/docker.sock:/var/run/docker.sock
devices:
- /dev/net/tun:/dev/net/tun
cap_add:
- NET_ADMIN
- NET_RAW
extra_hosts: # Add this section
extra_hosts:
- host.docker.internal:172.17.0.1
restart: always
command:
@ -605,8 +590,6 @@ services:
done
echo " Tailscaled is running."
# --- Start Tailscale Funnel/Serve ---
# Check the ENABLE_FUNNEL_HTTPS variable
if [ "${ENABLE_FUNNEL_HTTPS}" = "true" ]; then
echo "ENABLE_FUNNEL_HTTPS is true. Setting up Funnel -> http://localhost:80..."
tailscale funnel --bg http://localhost:80
@ -616,10 +599,9 @@ services:
tailscale serve --bg http://localhost:80
echo "Tailscale Serve configured."
fi
# --- End Tailscale Funnel/Serve ---
echo "Tailscale forwarding configured. Container will remain running."
wait # Wait indefinitely for background processes
wait
networks:
default: