fix

.deploy-infra/deploy-prod.yaml

@@ -26,6 +26,57 @@ services:
       update_config:
         parallelism: 1
         # order: start-first
+  
+  zitadel:
+    image: ghcr.io/zitadel/zitadel:latest
+    networks:
+      - common-infra-nginx
+    command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled'
+    environment:
+      ZITADEL_DATABASE_POSTGRES_HOST: pg.sprinthub.ru
+      ZITADEL_DATABASE_POSTGRES_PORT: 5432
+      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
+      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: postgres
+      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: $DB_PASSWORD_PROD
+      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
+      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
+      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: $DB_PASSWORD_PROD
+      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
+      ZITADEL_EXTERNALSECURE: "false"
+      ZITADEL_EXTERNALDOMAIN: zitadel.chocomarsh.com
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: any
+      update_config:
+        parallelism: 1
+    
+  # authelia:
+  #   image: mathwave/sprint-repo:authelia
+  #   networks:
+  #     - common-infra-nginx
+  #   environment:
+  #     AUTHELIA_JWT_SECRET: $AUTHTHELIA_JWT_SECRET
+  #     AUTHELIA_SESSION_SECRET: $AUTHTHELIA_SESSION_SECRET
+  #     AUTHELIA_STORAGE_ENCRYPTION_KEY: $AUTHELIA_STORAGE_ENCRYPTION_KEY
+  #     AUTHELIA_STORAGE_POSTGRES_PORT: "5432"
+  #     AUTHELIA_STORAGE_POSTGRES_DATABASE: "authelia"
+  #     AUTHELIA_STORAGE_POSTGRES_USERNAME: "postgres"
+  #     AUTHELIA_STORAGE_POSTGRES_PASSWORD: $DB_PASSWORD_PROD
+  #     AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY: "one_factor"
+  #     AUTHELIA_NOTIFIER_SMTP_ENABLED: "false"
+  #   volumes:
+  #     - /sprint-data/authelia/data:/var/lib/authelia
+  #   deploy:
+  #     mode: replicated
+  #     replicas: 1
+  #     restart_policy:
+  #       condition: any
+  #     placement:
+  #       constraints: [node.labels.stage == production]
+  #     update_config:
+  #       parallelism: 1
 
   grafana:
     image: grafana/grafana
@@ -67,6 +118,13 @@ services:
         constraints: [node.labels.stage == production]
       update_config:
         parallelism: 1
+      resources:
+        limits:
+          memory: 2048M
+          cpus: '2.0'
+        reservations:
+          memory: 1024M
+          cpus: '1.0'
 
   postgres:
     image: postgres:14-alpine3.19

.gitea/workflows/deploy-prod.yaml

@@ -21,6 +21,8 @@ jobs:
         run: docker build -t mathwave/sprint-repo:sprint-infra-nginx-prod nginx/nginx-prod
       - name: build gitea runner
         run: docker build -t mathwave/sprint-repo:gitea-runner gitea-runner
+      - name: build authelia
+        run: docker build -t mathwave/sprint-repo:authelia authelia
   push:
     name: Push
     runs-on: [ prod ]
@@ -30,6 +32,8 @@ jobs:
         run: docker push mathwave/sprint-repo:sprint-infra-nginx-prod
       - name: push gitea runner
         run: docker push mathwave/sprint-repo:gitea-runner
+      - name: push authelia
+        run: docker push mathwave/sprint-repo:authelia
   prepare:
     name: prepare
     runs-on: [prod]
@@ -68,4 +72,7 @@ jobs:
           REDIS_PASSWORD_PROD: ${{ secrets.REDIS_PASSWORD_PROD }}
           RABBITMQ_PASSWORD_PROD: ${{ secrets.RABBITMQ_PASSWORD_PROD }}
           REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }}
+          AUTHTHELIA_JWT_SECRET: ${{ secrets.AUTHTHELIA_JWT_SECRET }}
+          AUTHTHELIA_SESSION_SECRET: ${{ secrets.AUTHTHELIA_SESSION_SECRET }}
+          AUTHELIA_STORAGE_ENCRYPTION_KEY: ${{ secrets.AUTHELIA_STORAGE_ENCRYPTION_KEY }}
         run: docker stack deploy --with-registry-auth -c ./.deploy-infra/deploy-prod.yaml infra

authelia/Dockerfile

@@ -0,0 +1,3 @@
+FROM authelia/authelia
+COPY configuration.yml /config/configuration.yml
+COPY users.yml /config/users.yml

authelia/configuration.yml

@@ -0,0 +1,44 @@
+theme: dark
+
+jwt_secret: secret-jwt-will-be-overridden-by-env
+
+server:
+  host: 0.0.0.0
+  port: 9091
+
+log:
+  level: info
+
+authentication_backend:
+  file:
+    path: /config/users.yml
+
+access_control:
+  default_policy: one_factor
+  rules:
+    - domain: "*.chocomarsh.com"
+      policy: one_factor
+
+session:
+  name: authelia_session
+  expiration: 1h
+  inactivity: 5m
+  remember_me_duration: 1w
+  cookies:
+    - domain: chocomarsh.com
+      authelia_url: https://auth.chocomarsh.com
+      default_redirection_url: https://login.chocomarsh.com
+
+storage:
+  encryption_key: "a_very_long_secret_32_characters_minimum"
+  postgres:
+    host: pg.sprinthub.ru
+    port: 5432
+    database: authelia
+    schema: public
+    username: postgres
+    password: autheliapass  # also override with env if preferred
+
+notifier:
+  filesystem:
+    filename: /config/notification.txt

authelia/users.yml

@@ -0,0 +1,5 @@
+users:
+  emmatveev:
+    password: "$argon2id$v=19$m=65536,t=1,p=4$CixMXaAilVof3yk1rtghwg$V/kcl1HNDWeybrV3SrVjjdI00D1lFtuvLldkwAklSOE"
+    displayname: "Egor Matveev"
+    email: emmtvv@gmail.com

prepare/run-production.sh

@@ -16,6 +16,12 @@ mkdir /sprint-data/certs || true
 mkdir /sprint-data/gitea || true
 mkdir /sprint-data/clickhouse || true
 mkdir /sprint-data/grafana || true
+mkdir /sprint-data/authelia || true
+mkdir /sprint-data/authelia/config || true
+mkdir /sprint-data/authelia/data || true
+chmod 777 /sprint-data/authelia
+chmod 777 /sprint-data/authelia/config
+chmod 777 /sprint-data/authelia/data
 chmod 777 /sprint-data/redis
 chmod 777 /sprint-data/rabbitmq
 chmod 777 /sprint-data/gitea