SimpleAuth/docker-compose.yml at master · bodaay/SimpleAuth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# =============================================================================
# SimpleAuth — Docker Compose
# =============================================================================
#
# Quick start:
#   cp .env.example .env    # Edit with your values
#   docker compose up -d
#
# Full stack with nginx TLS termination:
#   1. Place TLS cert/key in deploy/nginx/certs/
#   2. docker compose --profile full up -d
#
# With your app:
#   docker compose --profile full --profile app up -d
#
# All config comes from .env — see .env.example for all options.
# =============================================================================

services:
  # ---------------------------------------------------------------------------
  # SimpleAuth — core authentication service
  # ---------------------------------------------------------------------------
  simpleauth:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        VERSION: "${VERSION:-latest}"
    image: simpleauth:latest
    container_name: simpleauth
    restart: unless-stopped

    environment:
      # All values come from .env file (see .env.example)
      AUTH_ADMIN_KEY: "${AUTH_ADMIN_KEY:-}"
      AUTH_HOSTNAME: "${AUTH_HOSTNAME:-localhost}"
      AUTH_DEPLOYMENT_NAME: "${AUTH_DEPLOYMENT_NAME:-sauth}"
      AUTH_PORT: "${AUTH_PORT:-8080}"
      AUTH_HTTP_PORT: "${AUTH_HTTP_PORT:-}"
      AUTH_TLS_DISABLED: "${AUTH_TLS_DISABLED:-true}"
      AUTH_TRUSTED_PROXIES: "${AUTH_TRUSTED_PROXIES:-172.16.0.0/12,10.0.0.0/8,192.168.0.0/16}"
      AUTH_JWT_ISSUER: "${AUTH_JWT_ISSUER:-simpleauth}"
      AUTH_JWT_ACCESS_TTL: "${AUTH_JWT_ACCESS_TTL:-8h}"
      AUTH_JWT_REFRESH_TTL: "${AUTH_JWT_REFRESH_TTL:-720h}"
      AUTH_IMPERSONATE_TTL: "${AUTH_IMPERSONATE_TTL:-1h}"
      AUTH_CLIENT_ID: "${AUTH_CLIENT_ID:-simpleauth}"
      AUTH_CLIENT_SECRET: "${AUTH_CLIENT_SECRET:-}"
      AUTH_REDIRECT_URIS: "${AUTH_REDIRECT_URIS:-}"
      AUTH_RATE_LIMIT_MAX: "${AUTH_RATE_LIMIT_MAX:-10}"
      AUTH_RATE_LIMIT_WINDOW: "${AUTH_RATE_LIMIT_WINDOW:-1m}"
      AUTH_AUDIT_RETENTION: "${AUTH_AUDIT_RETENTION:-2160h}"
      AUTH_CORS_ORIGINS: "${AUTH_CORS_ORIGINS:-}"
      AUTH_DEFAULT_ROLES: "${AUTH_DEFAULT_ROLES:-}"
      AUTH_BASE_PATH: "${AUTH_BASE_PATH:-}"
      AUTH_DATA_DIR: "${AUTH_DATA_DIR:-/data}"
      # Kerberos (uncomment if needed)
      # AUTH_KRB5_KEYTAB: "/data/krb5.keytab"
      # AUTH_KRB5_REALM: "${AUTH_KRB5_REALM:-}"
      # TLS (not needed when AUTH_TLS_DISABLED=true)
      # AUTH_TLS_CERT: "/data/tls.crt"
      # AUTH_TLS_KEY: "/data/tls.key"

    volumes:
      - simpleauth-data:/data

    ports:
      - "${SIMPLEAUTH_PORT:-8080}:${AUTH_PORT:-8080}"

    networks:
      - simpleauth-net

    deploy:
      resources:
        limits:
          memory: 256M
          cpus: "1.0"
        reservations:
          memory: 64M

  # ---------------------------------------------------------------------------
  # Nginx — reverse proxy with production TLS termination
  # Activate with: docker compose --profile full up -d
  # ---------------------------------------------------------------------------
  nginx:
    profiles: ["full"]
    build:
      context: ./deploy/nginx
      dockerfile: Dockerfile
    container_name: simpleauth-nginx
    restart: unless-stopped
    depends_on:
      simpleauth:
        condition: service_healthy

    ports:
      - "80:80"
      - "443:443"

    volumes:
      - ./deploy/nginx/certs/fullchain.pem:/etc/nginx/ssl/fullchain.pem:ro
      - ./deploy/nginx/certs/privkey.pem:/etc/nginx/ssl/privkey.pem:ro

    networks:
      - simpleauth-net

    deploy:
      resources:
        limits:
          memory: 128M

  # ---------------------------------------------------------------------------
  # Example: Your app — shares AUTH_ADMIN_KEY from the same .env file
  # Activate with: docker compose --profile app up -d
  # ---------------------------------------------------------------------------
  # myapp:
  #   profiles: ["app"]
  #   image: your-app:latest
  #   container_name: myapp
  #   restart: unless-stopped
  #   environment:
  #     # Same AUTH_ADMIN_KEY from .env — no duplication needed
  #     SIMPLEAUTH_ADMIN_KEY: "${AUTH_ADMIN_KEY:-}"
  #     SIMPLEAUTH_URL: "http://simpleauth:${AUTH_PORT:-8080}"
  #     # Or if your app uses different env var names:
  #     # AUTH_SERVER: "http://simpleauth:8080"
  #     # AUTH_KEY: "${AUTH_ADMIN_KEY:-}"
  #   networks:
  #     - simpleauth-net
  #   depends_on:
  #     - simpleauth

volumes:
  simpleauth-data:
    driver: local

networks:
  simpleauth-net:
    driver: bridge