# stacks/auth/compose.yml
# Authelia in front of the homelab. Sits on the edge network so Caddy can
# forward_auth to it. I chose Authelia over Authentik because the config is
# declarative TOML/YAML and version-controls cleanly.
# mercemay.top/src/homelab-compose/ walks through the forward_auth setup.
networks:
auth:
driver: bridge
edge:
external: true
name: homelab_edge
volumes:
authelia_data:
authelia_redis:
services:
authelia:
image: authelia/authelia:4.38
restart: unless-stopped
env_file: .env
environment:
AUTHELIA_LOG_LEVEL: info
AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "false"
volumes:
- ./config:/config:ro
- authelia_data:/data
depends_on:
- authelia-redis
networks: [auth, edge]
healthcheck:
test: ["CMD", "authelia", "healthcheck"]
interval: 30s
timeout: 5s
retries: 3
authelia-redis:
image: redis:7-alpine
restart: unless-stopped
command: ["redis-server", "--save", "60", "1"]
volumes:
- authelia_redis:/data
networks: [auth]
# Optional LDAP for users who prefer an external directory; commented out
# by default. Uncomment and reference it from config/configuration.yml.
#
# lldap:
# image: lldap/lldap:v0.5
# restart: unless-stopped
# env_file: .env
# environment:
# LLDAP_LDAP_BASE_DN: "dc=home,dc=arpa"
# volumes:
# - ./lldap/data:/data
# networks: [auth]
# Trivial "whoami" container for testing the forward_auth path end-to-end.
# Remove once you have a real downstream service wired up.
whoami:
image: traefik/whoami:v1.10
restart: unless-stopped
command:
- --port=8080
- --name=homelab-whoami
networks: [edge]