chris/docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Finish Komodo setup

Browse Source 
Add OIDC snippet to Caddyfile
Add komodo to Caddyfile
This commit is contained in:
Chris King
2025-02-18 01:12:53 -08:00
parent 0dcd0c9823
commit 8a2240a43e
3 changed files with 93 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
komodo/.env
View File

@@ -12,14 +12,14 @@ COMPOSE_KOMODO_IMAGE_TAG=latest
## Note: 🚨 Podman does NOT support local logging driver 🚨. See Podman options here:
## `https://docs.podman.io/en/v4.6.1/markdown/podman-run.1.html#log-driver-driver`
COMPOSE_LOGGING_DRIVER=local # Enable log rotation with the local driver.
COMPOSE_LOGGING_DRIVER=journald # Enable log rotation with the local driver.
## DB credentials - Ignored for Sqlite
DB_USERNAME=admin
DB_PASSWORD=admin
KOMODO_DB_USERNAME=admin
KOMODO_DB_PASSWORD_FILE=/run/secrets/KOMODO_DB_PASSWORD
## Configure a secure passkey to authenticate between Core / Periphery.
PASSKEY=a_random_passkey
KOMODO_PASSKEY_FILE=/run/secrets/KOMODO_PASSKEY
#=-------------------------=#
#= Komodo Core Environment =#
@@ -32,7 +32,7 @@ PASSKEY=a_random_passkey
## Docs: https://docs.docker.com/compose/how-tos/use-secrets/#examples
## Used for Oauth / Webhook url suggestion / Caddy reverse proxy.
KOMODO_HOST=https://demo.komo.do
KOMODO_HOST=https://komodo.tremendousturtle.tools
## Displayed in the browser tab.
KOMODO_TITLE=Komodo
## Create a server matching this address as the "first server".
@@ -45,22 +45,20 @@ KOMODO_DISABLE_CONFIRM_DIALOG=false
## status / container status / system stats / alerting.
## Options: 1-sec, 5-sec, 15-sec, 1-min, 5-min.
## Default: 15-sec
KOMODO_MONITORING_INTERVAL="15-sec"
KOMODO_MONITORING_INTERVAL="5-sec"
## Rate Komodo polls Resources for updates,
## like outdated commit hash.
## Options: 1-min, 5-min, 15-min, 30-min, 1-hr.
## Default: 5-min
KOMODO_RESOURCE_POLL_INTERVAL="5-min"
KOMODO_RESOURCE_POLL_INTERVAL="1-min"
## Used to auth against periphery. Alt: KOMODO_PASSKEY_FILE
KOMODO_PASSKEY=${PASSKEY}
## Used to auth incoming webhooks. Alt: KOMODO_WEBHOOK_SECRET_FILE
KOMODO_WEBHOOK_SECRET=a_random_secret
KOMODO_WEBHOOK_SECRET_FILE=/run/secrets/KOMODO_WEBHOOK_SECRET
## Used to generate jwt. Alt: KOMODO_JWT_SECRET_FILE
KOMODO_JWT_SECRET=a_random_jwt_secret
KOMODO_JWT_SECRET_FILE=/run/secrets/KOMODO_JWT_SECRET
## Enable login with username + password.
KOMODO_LOCAL_AUTH=true
KOMODO_LOCAL_AUTH=false
## Disable new user signups.
KOMODO_DISABLE_USER_REGISTRATION=false
## All new logins are auto enabled
@@ -72,18 +70,18 @@ KOMODO_TRANSPARENT_MODE=false
## Time to live for jwt tokens.
## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk
KOMODO_JWT_TTL="1-day"
KOMODO_JWT_TTL="1-wk"
## OIDC Login
KOMODO_OIDC_ENABLED=false
KOMODO_OIDC_ENABLED=true
## Must reachable from Komodo Core container
# KOMODO_OIDC_PROVIDER=https://oidc.provider.internal/application/o/komodo
KOMODO_OIDC_PROVIDER=https://authentik.tremendousturtle.tools/application/o/komodo/
## Change the host to one reachable be reachable by users (optional if it is the same as above).
## DO NOT include the `path` part of the URL.
# KOMODO_OIDC_REDIRECT_HOST=https://oidc.provider.external
KOMODO_OIDC_REDIRECT_HOST=https://authentik.tremendousturtle.tools
## Your client credentials
# KOMODO_OIDC_CLIENT_ID= # Alt: KOMODO_OIDC_CLIENT_ID_FILE
# KOMODO_OIDC_CLIENT_SECRET= # Alt: KOMODO_OIDC_CLIENT_SECRET_FILE
KOMODO_OIDC_CLIENT_ID_FILE=/run/secrets/KOMODO_OIDC_CLIENT_ID # Alt: KOMODO_OIDC_CLIENT_ID_FILE
KOMODO_OIDC_CLIENT_SECRET_FILE=/run/secrets/KOMODO_OIDC_CLIENT_SECRET # Alt: KOMODO_OIDC_CLIENT_SECRET_FILE
## Make usernames the full email.
# KOMODO_OIDC_USE_FULL_EMAIL=true
## Add additional trusted audiences for token claims verification.
@@ -115,8 +113,11 @@ KOMODO_HETZNER_TOKEN= # Alt: KOMODO_HETZNER_TOKEN_FILE
## Full variable list + descriptions are available here:
## 🦎 https://github.com/mbecker20/komodo/blob/main/config/periphery.config.toml 🦎
## Periphery passkeys must include KOMODO_PASSKEY to authenticate
PERIPHERY_PASSKEYS=${PASSKEY}
## Periphery passkeys must include KOMODO_PASSKEY to authenticate.
PERIPHERY_PASSKEYS_FILE=${KOMODO_PASSKEY_FILE}
## Specify the root directory used by Periphery agent.
PERIPHERY_ROOT_DIRECTORY=/etc/komodo
## Enable SSL using self signed certificates.
## Connect to Periphery at https://address:8120.

90
komodo/docker-compose.yml
View File

@@ -6,7 +6,6 @@
## 1. MongoDB
## 2. Komodo Core
## 3. Komodo Periphery
name: komodo
services:
db:
@@ -22,13 +21,15 @@ services:
# ports:
# - 27017:27017
volumes:
- mongo-data:/data/db
- mongo-config:/data/configdb
- ./data/mongo-data:/data/db
- ./config/mongo-config:/data/configdb
environment:
MONGO_INITDB_ROOT_USERNAME: ${DB_USERNAME}
MONGO_INITDB_ROOT_PASSWORD: ${DB_PASSWORD}
MONGO_INITDB_ROOT_USERNAME: ${KOMODO_DB_USERNAME}
MONGO_INITDB_ROOT_PASSWORD_FILE: ${KOMODO_DB_PASSWORD_FILE}
secrets:
- KOMODO_DB_PASSWORD
core:
app:
image: ghcr.io/mbecker20/komodo:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
labels:
komodo.skip: # Prevent Komodo from stopping with StopAllContainers
@@ -39,24 +40,29 @@ services:
driver: ${COMPOSE_LOGGING_DRIVER:-local}
networks:
- default
- proxy-net
ports:
- 9120:9120
env_file: ./compose.env
env_file: ./.env
environment:
KOMODO_DATABASE_ADDRESS: db:27017
KOMODO_DATABASE_USERNAME: ${DB_USERNAME}
KOMODO_DATABASE_PASSWORD: ${DB_PASSWORD}
KOMODO_DATABASE_USERNAME: ${KOMODO_DB_USERNAME}
KOMODO_DATABASE_PASSWORD_FILE: ${KOMODO_DB_PASSWORD_FILE}
KOMODO_LOGGING_LEVEL: info
volumes:
## Core cache for repos for latest commit hash / contents
- repo-cache:/repo-cache
- ./data/repo-cache:/repo-cache
## Store sync files on server
# - /path/to/syncs:/syncs
- ./data/syncs:/syncs
## Optionally mount a custom core.config.toml
# - /path/to/core.config.toml:/config/config.toml
## Allows for systemd Periphery connection at
## "http://host.docker.internal:8120"
# extra_hosts:
# - host.docker.internal:host-gateway
secrets:
- KOMODO_DB_PASSWORD
- KOMODO_PASSKEY
- KOMODO_WEBHOOK_SECRET
- KOMODO_JWT_SECRET
- KOMODO_OIDC_CLIENT_SECRET
- KOMODO_OIDC_CLIENT_ID
## Deploy Periphery container using this block,
## or deploy the Periphery binary with systemd using
@@ -70,34 +76,40 @@ services:
driver: ${COMPOSE_LOGGING_DRIVER:-local}
networks:
- default
env_file: ./compose.env
env_file: ./.env
environment:
PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos
PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks
PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem
PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem
volumes:
## Mount external docker socket
- /var/run/docker.sock:/var/run/docker.sock
## Allow Periphery to see processes outside of container
- /proc:/proc
## use self signed certs in docker volume,
## or mount your own signed certs.
- ssl-certs:/etc/komodo/ssl
## manage repos in a docker volume,
## or change it to an accessible host directory.
- repos:/etc/komodo/repos
## manage stack files in a docker volume,
## or change it to an accessible host directory.
- stacks:/etc/komodo/stacks
## Optionally mount a path to store compose files
# - /path/to/compose:/host/compose
volumes:
# Mongo
mongo-data:
mongo-config:
# Core
repo-cache:
# Periphery
ssl-certs:
repos:
stacks:
## Specify the Periphery agent root directory.
## Must be the same inside and outside the container,
## or docker will get confused. See https://github.com/mbecker20/komodo/discussions/180.
## Default: /etc/komodo.
- ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}
secrets:
- KOMODO_PASSKEY
networks:
default: {}
default: {}
proxy-net:
external: true
secrets:
KOMODO_DB_PASSWORD:
file: ./secrets/KOMODO_DB_PASSWORD
KOMODO_PASSKEY:
file: ./secrets/KOMODO_PASSKEY
KOMODO_WEBHOOK_SECRET:
file: ./secrets/KOMODO_WEBHOOK_SECRET
KOMODO_JWT_SECRET:
file: ./secrets/KOMODO_JWT_SECRET
KOMODO_OIDC_CLIENT_SECRET:
file: ./secrets/KOMODO_OIDC_CLIENT_SECRET
KOMODO_OIDC_CLIENT_ID:
file: ./secrets/KOMODO_OIDC_CLIENT_ID