bunkerized-nginx/examples/authelia/swarm.yml

version: "3.3"

services:
  # APPLICATIONS
  app1:
    image: tutum/hello-world
    networks:
      - bw-services
    deploy:
      placement:
        constraints:
          - "node.role==worker"
      labels:
        - bunkerweb.SERVER_NAME=app1.example.com
        - bunkerweb.USE_REVERSE_PROXY=yes
        - bunkerweb.REVERSE_PROXY_URL=/
        - bunkerweb.REVERSE_PROXY_HOST=http://app1
        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia
        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
        - bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
        - bunkerweb.REVERSE_PROXY_URL_999=/authelia
        - bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
        - bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""

  app2:
    image: tutum/hello-world
    networks:
      - bw-services
    deploy:
      placement:
        constraints:
          - "node.role==worker"
      labels:
        - bunkerweb.SERVER_NAME=app2.example.com
        - bunkerweb.USE_REVERSE_PROXY=yes
        - bunkerweb.REVERSE_PROXY_URL=/
        - bunkerweb.REVERSE_PROXY_HOST=http://app2
        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST=/authelia
        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
        - bunkerweb.REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
        - bunkerweb.REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
        - bunkerweb.REVERSE_PROXY_URL_999=/authelia
        - bunkerweb.REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
        - bunkerweb.REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""

  # AUTHELIA
  authelia:
    image: authelia/authelia:4
    networks:
      - bw-services
    configs:
      - source: config_authelia_configuration
        target: /config/configuration.yml
        uid: "0"
        gid: "0"
        mode: 0444
      - source: config_authelia_users_database
        target: /config/users_database.yml
        uid: "0"
        gid: "0"
        mode: 0444
    healthcheck:
      disable: true
    environment:
      - TZ=Europe/Paris
    deploy:
      placement:
        constraints:
          - "node.role==worker"
      labels:
        - bunkerweb.SERVER_NAME=auth.example.com
        - bunkerweb.USE_REVERSE_PROXY=yes
        - bunkerweb.REVERSE_PROXY_URL=/
        - bunkerweb.REVERSE_PROXY_HOST=http://authelia:9091
        - bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no

  redis:
    image: redis:7-alpine
    networks:
      - bw-services
    volumes:
      - redis:/data
    environment:
      - TZ=Europe/Paris
    deploy:
      placement:
        constraints:
          - "node.role==worker"

networks:
  bw-services:
    external: true
    name: bw-services

volumes:
  redis:

configs:
  config_authelia_configuration:
    file: ./authelia/configuration.yml
  config_authelia_users_database:
    file: ./authelia/users_database.yml