first commit

compose.yml

@@ -0,0 +1,216 @@
+# =============================================================================
+# Organization Stack - Docker Compose Configuration
+# =============================================================================
+# Defines six core services and their dependencies:
+#   1. lldap - Lightweight LDAP directory for user management
+#   2. Authelia - SSO authentication server with 2FA support
+#   3. Gitea - Self-hosted Git service (uses OIDC for authentication)
+#   4. JSPWiki - Wiki platform (uses forward-auth for authentication)
+#   5. Registration - User self-provisioning service (forward-auth for admin)
+#   6. Caddy - Reverse proxy with automatic HTTPS
+# =============================================================================
+
+services:
+  # ===========================================================================
+  # lldap - Lightweight LDAP Directory
+  # ===========================================================================
+  # Centralized user and group management
+  # All user credentials are stored here; other services authenticate against it
+  # Accessible only via Caddy (web UI) and internal Docker network (LDAP protocol)
+  lldap:
+    image: lldap/lldap:stable
+    container_name: lldap
+    environment:
+      - UID=${USER_UID:-1000}
+      - GID=${USER_GID:-1000}
+      - TZ=${TZ:-UTC}
+      - LLDAP_JWT_SECRET_FILE=/secrets/JWT_SECRET
+      - LLDAP_LDAP_USER_PASS_FILE=/secrets/LDAP_USER_PASS
+      - LLDAP_LDAP_BASE_DN=${LDAP_BASE_DN}
+    volumes:
+      - lldap_data:/data                     # Persistent LDAP database
+      - ./secrets/lldap:/secrets:ro          # Read-only secrets mount
+    networks:
+      - org-network
+    restart: unless-stopped
+
+  # ===========================================================================
+  # Authelia - SSO Authentication & Authorization Server
+  # ===========================================================================
+  # Provides single sign-on, two-factor authentication, and access control
+  # Acts as both OIDC provider (for Gitea) and forward-auth endpoint (for Wiki/lldap)
+  # Accessible only via Caddy and internal Docker network
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    environment:
+      - TZ=${TZ:-UTC}
+      # All secrets loaded from files for security
+      - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/secrets/RESET_PASSWORD_JWT_SECRET
+      - AUTHELIA_SESSION_SECRET_FILE=/secrets/SESSION_SECRET
+      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/secrets/STORAGE_ENCRYPTION_KEY
+      - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/secrets/OIDC_HMAC_SECRET
+      - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/secrets/OIDC_PRIVATE_KEY
+      - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/secrets-lldap/LDAP_USER_PASS
+      # SMTP configuration (for email notifications - see SMTP_SETUP.md)
+      - SMTP_HOST=${SMTP_HOST:-localhost}
+      - SMTP_PORT=${SMTP_PORT:-587}
+      - SMTP_USER=${SMTP_USER:-}
+      - SMTP_PASSWORD=${SMTP_PASSWORD:-}
+      - SMTP_FROM=${SMTP_FROM:-noreply@localhost}
+      - AUTH_SUBDOMAIN=${AUTH_SUBDOMAIN:-auth}
+      - REGISTRATION_ADMIN_EMAIL=${REGISTRATION_ADMIN_EMAIL:-}
+    volumes:
+      - ./authelia/configuration.yml:/config/configuration.yml:ro
+      - ./secrets/authelia:/secrets:ro       # Authelia's own secrets
+      - ./secrets/lldap:/secrets-lldap:ro    # lldap password for LDAP auth
+      - authelia_data:/data                  # Sessions, 2FA registrations
+    networks:
+      - org-network
+    restart: unless-stopped
+    depends_on:
+      - lldap
+
+  # ===========================================================================
+  # Gitea - Self-Hosted Git Service
+  # ===========================================================================
+  # Git repository hosting with web UI
+  # Uses OIDC to authenticate users through Authelia (SSO)
+  # Web interface accessible only via Caddy
+  # SSH exposed for Git operations (git clone, push, pull)
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    ports:
+      - "${GITEA_SSH_PORT:-2222}:22"         # Git SSH access (required for git operations)
+    environment:
+      - USER_UID=${USER_UID:-1000}
+      - USER_GID=${USER_GID:-1000}
+      - GITEA__database__DB_TYPE=sqlite3
+      - GITEA__server__DOMAIN=${GITEA_SUBDOMAIN}.${BASE_DOMAIN}
+      - GITEA__server__ROOT_URL=https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}
+      - GITEA__server__SSH_DOMAIN=${GITEA_SUBDOMAIN}.${BASE_DOMAIN}
+      - GITEA__server__SSH_PORT=${GITEA_SSH_PORT:-2222}
+      - GITEA__oauth2_client__ACCOUNT_LINKING=auto
+      - GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
+      - GITEA__oauth2_client__USERNAME=preferred_username
+      - GITEA__oauth2_client__OPENID_CONNECT_SCOPES=openid email profile
+      - GITEA__openid__ENABLE_OPENID_SIGNIN=false
+      # Trust Caddy's self-signed CA when USE_SELF_SIGNED_CERTS=true
+      - SSL_CERT_FILE=/data/ca-bundle.crt
+    volumes:
+      - gitea_data:/data                     # Git repos, database, config
+      - caddy_data:/caddy_data:ro            # Access Caddy's self-signed CA
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    networks:
+      - org-network
+    restart: unless-stopped
+    depends_on:
+      - authelia
+
+  # ===========================================================================
+  # JSPWiki - Wiki Platform
+  # ===========================================================================
+  # Collaborative wiki with LDAP user synchronization
+  # Uses forward-auth (trusts Remote-User header from Authelia via Caddy)
+  jspwiki:
+    build: ./jspwiki                         # Custom image with RemoteUserFilter
+    container_name: jspwiki
+    environment:
+      - LDAP_BASE_DN=${LDAP_BASE_DN}
+    volumes:
+      - jspwiki_data:/var/jspwiki            # Wiki pages and config
+      - ./jspwiki-custom.properties:/usr/local/tomcat/lib/jspwiki-custom.properties:ro
+      - ./jspwiki.policy:/usr/local/tomcat/webapps/ROOT/WEB-INF/jspwiki.policy:ro
+      - ./secrets/lldap:/secrets-lldap:ro    # lldap admin password for sync
+    networks:
+      - org-network
+    restart: unless-stopped
+    depends_on:
+      - lldap
+
+  # ===========================================================================
+  # Registration - User Self-Provisioning Service
+  # ===========================================================================
+  # Public registration form and admin approval dashboard
+  # Public route: / (registration form)
+  # Protected route: /admin (requires forward-auth via Authelia)
+  # Creates approved users in lldap via LDAP protocol (ldapadd + ldappasswd)
+  registration:
+    build: ./registration                    # FastAPI application
+    container_name: registration
+    user: "${USER_UID:-1000}:${USER_GID:-1000}"
+    environment:
+      - DATABASE_PATH=/data/registrations.db
+      - LLDAP_ADMIN_USER=admin
+      - LDAP_BASE_DN=${LDAP_BASE_DN}
+      - ADMIN_EMAIL=${REGISTRATION_ADMIN_EMAIL:-}
+      - SMTP_ENABLED=${SMTP_ENABLED:-false}
+      - SMTP_HOST=${SMTP_HOST:-localhost}
+      - SMTP_PORT=${SMTP_PORT:-587}
+      - SMTP_USER=${SMTP_USER:-}
+      - SMTP_PASSWORD=${SMTP_PASSWORD:-}
+      - SMTP_FROM=${SMTP_FROM:-}
+      - SMTP_USE_TLS=${SMTP_USE_TLS:-true}
+    volumes:
+      - registration_data:/data              # SQLite database and audit log
+      - ./secrets/lldap:/secrets-lldap:ro    # lldap admin password for user creation
+    networks:
+      - org-network
+    restart: unless-stopped
+    depends_on:
+      - lldap
+      - authelia
+
+  # ===========================================================================
+  # Caddy - Reverse Proxy with Automatic HTTPS
+  # ===========================================================================
+  # Terminates TLS and routes traffic to backend services
+  # Automatically obtains Let's Encrypt certificates
+  # Enforces authentication via forward-auth for wiki and lldap
+  caddy:
+    image: caddy:latest
+    container_name: caddy
+    ports:
+      - "${HTTP_PORT:-80}:80"                # HTTP (redirects to HTTPS)
+      - "${HTTPS_PORT:-443}:443"             # HTTPS
+      - "${HTTPS_PORT:-443}:443/udp"         # HTTP/3 (QUIC)
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro  # Generated from template by deploy.sh
+      - caddy_data:/data                     # TLS certificates
+      - caddy_config:/config                 # Caddy runtime config
+    networks:
+      - org-network
+    restart: unless-stopped
+    depends_on:
+      - lldap
+      - authelia
+      - gitea
+      - jspwiki
+      - registration
+
+# =============================================================================
+# Networks
+# =============================================================================
+# All services communicate on an internal bridge network using Docker hostnames
+# External access is ONLY through Caddy reverse proxy (ports 80/443)
+# Exception: Gitea SSH port for Git operations (port 2222)
+# No direct access to any service - all require Authelia authentication via Caddy
+networks:
+  org-network:
+    driver: bridge
+
+# =============================================================================
+# Volumes
+# =============================================================================
+# Persistent storage for all services
+# Back these up regularly with: ./manage.sh backup
+volumes:
+  lldap_data:         # LDAP database (users, groups)
+  authelia_data:      # Authentication state (sessions, 2FA registrations)
+  gitea_data:         # Git repositories and Gitea database
+  jspwiki_data:       # Wiki pages and attachments
+  registration_data:  # Registration requests and audit log
+  caddy_data:         # TLS certificates from Let's Encrypt
+  caddy_config:       # Caddy runtime configuration