authelia/docs/content/en/integration/deployment/docker.md

161 lines
6.1 KiB
Markdown
Raw Normal View History

---
title: "Docker"
description: "A guide on installing Authelia in Docker."
lead: "This is one of the primary ways we deliver Authelia to users and the recommended path."
date: 2022-05-27T22:24:38+10:00
draft: false
images: []
menu:
integration:
parent: "deployment"
weight: 230
toc: true
---
The [Docker] container is deployed with the following image names:
* [authelia/authelia](https://hub.docker.com/r/authelia/authelia)
* [docker.io/authelia/authelia](https://hub.docker.com/r/authelia/authelia)
* [ghcr.io/authelia/authelia](https://github.com/authelia/authelia/pkgs/container/authelia)
## Docker Compose
We provide two main [Docker Compose] examples which can be utilized to help test *Authelia* or can be adapted into your
existing [Docker Compose].
* [Unbundled Example](#standalone-example)
* [Bundle: lite](#lite)
* [Bundle: local](#local)
### Standalone Example
The following is an example [Docker Compose] deployment with just *Authelia* and no bundled applications or proxies.
It expects the following:
* The file `data/authelia/config/configuration.yml` is present and the configuration file.
* The files `data/authelia/secrets/*` exist and contain the relevant secrets.
* You're using PostgreSQL.
* You have an external network named `net` which is in bridge mode.
```yaml
version: "3.8"
secrets:
JWT_SECRET:
file: ${PWD}/data/authelia/secrets/JWT_SECRET
SESSION_SECRET:
file: ${PWD}/data/authelia/secrets/SESSION_SECRET
STORAGE_PASSWORD:
file: ${PWD}/data/authelia/secrets/STORAGE_PASSWORD
STORAGE_ENCRYPTION_KEY:
file: ${PWD}/data/authelia/secrets/STORAGE_ENCRYPTION_KEY
OIDC_HMAC_KEY:
file: ${PWD}/data/authelia/secrets/OIDC_HMAC_KEY
OIDC_PRIVATE_KEY:
file: ${PWD}/data/authelia/secrets/OIDC_PRIVATE_KEY
services:
authelia:
container_name: authelia
image: docker.io/authelia/authelia:latest
restart: unless-stopped
networks:
net:
aliases: []
expose:
- 9091
secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY, OIDC_HMAC_KEY, OIDC_PRIVATE_KEY]
environment:
AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: /run/secrets/OIDC_HMAC_KEY
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /run/secrets/OIDC_PRIVATE_KEY
volumes:
- ${PWD}/data/authelia/config:/config
networks:
net:
external: true
name: net
```
#### Running the Proxy on the Host Instead of in a Container
If you wish to run the proxy as a systemd service or other daemon, you will need to adjust the configuration. While this
configuration is not specific to *Authelia* and is mostly a [Docker] concept we explain this here to help alleviate the
users asking how to accomplish this. It should be noted that we can't provide documentation or support for every
architectural choice our users make and you should expect to do your own research to figure this out where possible.
The example below includes the additional `ports` option which must be added in order to allow communication to
*Authelia* from daemons on the [Docker] host. The other values are used to show context within the
[Standalone Example](#standalone-example) above. The example allows *Authelia* to be communicated with over the
localhost IP address `127.0.0.1` on port `9091`. You need to adjust this to your specific needs.
```yaml
services:
authelia:
container_name: authelia
image: docker.io/authelia/authelia:latest
restart: unless-stopped
networks:
net:
aliases: []
expose:
- 9091
ports:
- "127.0.0.1:9091:9091"
```
### Bundles
To use the bundles we recommend first cloning the git repository and checking out the latest release on a Linux Desktop:
```bash
git clone https://github.com/authelia/authelia.git
cd authelia
git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
```
#### lite
The [lite bundle](https://github.com/authelia/authelia/tree/master/examples/compose/lite) can be used by following this
process:
1. Perform the commands in [the bundles section](#bundles).
2. Run the `cd examples/compose/lite` command.
3. Edit `users_database.yml` and either change the username of the `authelia` user, or
[generate a new password](../../reference/guides/passwords.md#passwords), or both. The default password is
`authelia`.
4. Edit the `configuration.yml` and `docker-compose.yml` with your respective domains and secrets.
5. Run `docker compose up -d` or `docker-compose up -d`.
#### local
The [local bundle](https://github.com/authelia/authelia/tree/master/examples/compose/local) can be setup after cloning
the repository as per the [bundles](#bundles) section then running the following commands on a Linux Desktop:
```bash
cd examples/compose/local
./setup.sh
```
The bundle setup modifies the `/etc/hosts` file which is performed with `sudo`. Once it is successfully setup you can
visit the following URL's to see Authelia in action (`example.com` will be replaced by the domain you specified):
* [https://public.example.com](https://public.example.com) - Bypasses Authelia
* [https://traefik.example.com](https://traefik.example.com) - Secured with Authelia one-factor authentication
* [https://secure.example.com](https://secure.example.com) - Secured with Authelia two-factor authentication (see note below)
You will need to authorize the self-signed certificate upon visiting each domain. To visit
[https://secure.example.com](https://secure.example.com) you will need to register a device for second factor
authentication and confirm by clicking on a link sent by email. Since this is a demo with a fake email address, the
content of the email will be stored in `./authelia/notification.txt`. Upon registering, you can grab this link easily by
running the following command:
```bash
grep -Eo '"https://.*" ' ./authelia/notification.txt.
```
[Docker]: https://docker.com
[Docker Compose]: https://docs.docker.com/compose/