nucleo000/perfil
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Configure deployment with Traefik and Authentik

Browse Source 
- Add proper Traefik labels with middleware support
- Use APP_NAME variable for dynamic naming
- Remove port mapping (Traefik handles routing)
- Add .env.example with all required variables
- Update README with complete variable documentation
- Configure docker network to use 'principal'
- Add X-Forwarded-Proto header middleware
This commit is contained in:
josedario87
2025-10-12 17:29:18 -06:00
parent bfeabbc640
commit c00d0fb61a
4 changed files with 103 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
.env.example Normal file
View File

@@ -0,0 +1,59 @@
# ===========================================
# Ejemplo de variables de entorno
# ===========================================
# Copia este archivo y configura los valores según tu entorno
#
# Para desarrollo local: copia a .env
# Para Gitea Actions: configura en Settings > Actions > Variables/Secrets
# ===========================================
# REGISTRY & DEPLOYMENT
# ===========================================
# URL del registro Docker (sin http:// ni https://)
REGISTRY_URL=registry.ejemplo.com
# Nombre de la aplicación (usado para container, imagen, y labels de Traefik)
APP_NAME=mi-app
# Dominio donde se desplegará la aplicación
APP_DOMAIN=miapp.ejemplo.com
# ===========================================
# AUTHENTIK OAUTH
# ===========================================
# URL pública del servidor Authentik (con https://)
NUXT_OAUTH_AUTHENTIK_SERVER_URL=https://auth.ejemplo.com
# URL interna del servidor Authentik para comunicación server-side
# (puede ser la misma que la pública si no hay red interna)
NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL=https://auth.ejemplo.com
# Client ID de la aplicación en Authentik
NUXT_OAUTH_AUTHENTIK_CLIENT_ID=abc123xyz
# Client Secret de la aplicación en Authentik (SECRETO)
NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET=super-secreto-aqui
# URL de redirect después de autenticación
# Debe coincidir con la configurada en Authentik
NUXT_OAUTH_AUTHENTIK_REDIRECT_URL=https://miapp.ejemplo.com/auth/callback
# ===========================================
# APPLICATION
# ===========================================
# URL pública de la aplicación
NUXT_PUBLIC_APP_URL=https://miapp.ejemplo.com
# Password para encriptar sesiones (SECRETO)
# Debe ser una cadena aleatoria de al menos 32 caracteres
# Genera uno con: openssl rand -base64 32
NUXT_SESSION_PASSWORD=generar-con-openssl-rand-base64-32
# ===========================================
# REGISTRY AUTHENTICATION (solo para CI/CD)
# ===========================================
# Usuario del registro Docker
REGISTRY_USERNAME=mi-usuario
# Contraseña del registro Docker (SECRETO)
REGISTRY_PASSWORD=mi-password-secreto

17
.gitea/workflows/build-and-deploy.yml
View File

@@ -10,6 +10,7 @@ jobs:
runs-on: docker runs-on: docker
env: env:
REG: ${{ vars.REGISTRY_URL }} REG: ${{ vars.REGISTRY_URL }}
APP_NAME: ${{ vars.APP_NAME }}
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- uses: docker/setup-buildx-action@v2 - uses: docker/setup-buildx-action@v2
@@ -19,12 +20,12 @@ jobs:
username: ${{ secrets.REGISTRY_USERNAME }} username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }} password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Build+push plantilla-nuxt-authentik - name: Build+push ${{ vars.APP_NAME }}
run: | run: |
cd nuxt4 cd nuxt4
docker build -t $REG/plantilla-nuxt-authentik:${{ github.sha }} -t $REG/plantilla-nuxt-authentik:latest . docker build -t $REG/$APP_NAME:${{ github.sha }} -t $REG/$APP_NAME:latest .
docker push $REG/plantilla-nuxt-authentik:${{ github.sha }} docker push $REG/$APP_NAME:${{ github.sha }}
docker push $REG/plantilla-nuxt-authentik:latest docker push $REG/$APP_NAME:latest
#───────────────── deploy ───────────────── #───────────────── deploy ─────────────────
deploy: deploy:
@@ -32,6 +33,7 @@ jobs:
runs-on: docker runs-on: docker
env: env:
REG: ${{ vars.REGISTRY_URL }} REG: ${{ vars.REGISTRY_URL }}
APP_NAME: ${{ vars.APP_NAME }}
# Variables de entorno para docker-compose # Variables de entorno para docker-compose
APP_DOMAIN: ${{ vars.APP_DOMAIN }} APP_DOMAIN: ${{ vars.APP_DOMAIN }}
NUXT_OAUTH_AUTHENTIK_CLIENT_ID: ${{ secrets.NUXT_OAUTH_AUTHENTIK_CLIENT_ID }} NUXT_OAUTH_AUTHENTIK_CLIENT_ID: ${{ secrets.NUXT_OAUTH_AUTHENTIK_CLIENT_ID }}
@@ -48,15 +50,16 @@ jobs:
- name: Info about environment - name: Info about environment
run: | run: |
echo " Deploying Plantilla Nuxt + Authentik Proxy" echo " Deploying ${{ vars.APP_NAME }}"
echo " Domain: ${{ vars.APP_DOMAIN }}" echo " Domain: ${{ vars.APP_DOMAIN }}"
echo " Registry: ${{ vars.REGISTRY_URL }}"
echo " Network: principal" echo " Network: principal"
- name: Pull fresh images used in compose - name: Pull fresh images used in compose
run: docker compose pull run: docker compose pull
- name: Clean up stack - name: Clean up stack
run: docker compose --project-name plantilla-nuxt-authentik down run: docker compose --project-name $APP_NAME down
- name: Update stack - name: Update stack
run: docker compose --project-name plantilla-nuxt-authentik up -d --remove-orphans --wait run: docker compose --project-name $APP_NAME up -d --remove-orphans --wait

21
README.md
View File

@@ -60,21 +60,28 @@ El proyecto incluye Gitea Actions que automáticamente:
### Variables Requeridas en Gitea ### Variables Requeridas en Gitea
**Secrets:** Para configurar el despliegue automático, ve a tu repositorio en Gitea:
- **Secrets**: `Settings > Actions > Secrets`
- **Variables**: `Settings > Actions > Variables`
**Secrets (valores sensibles):**
- `REGISTRY_USERNAME` - Usuario del registro Docker - `REGISTRY_USERNAME` - Usuario del registro Docker
- `REGISTRY_PASSWORD` - Contraseña del registro Docker - `REGISTRY_PASSWORD` - Contraseña del registro Docker
- `NUXT_OAUTH_AUTHENTIK_CLIENT_ID` - Client ID de Authentik - `NUXT_OAUTH_AUTHENTIK_CLIENT_ID` - Client ID de Authentik
- `NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET` - Client Secret de Authentik - `NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET` - Client Secret de Authentik
- `NUXT_SESSION_PASSWORD` - Password para sesiones (32+ caracteres) - `NUXT_SESSION_PASSWORD` - Password para sesiones (generar con `openssl rand -base64 32`)
**Variables:** **Variables (valores públicos):**
- `REGISTRY_URL` - URL del registro Docker - `REGISTRY_URL` - URL del registro Docker (ej: `registry.ejemplo.com`)
- `APP_DOMAIN` - Dominio de la aplicación - `APP_NAME` - Nombre de la aplicación (ej: `mi-app`) - usado para container, imagen y Traefik
- `APP_DOMAIN` - Dominio de la aplicación (ej: `miapp.ejemplo.com`)
- `NUXT_OAUTH_AUTHENTIK_SERVER_URL` - URL pública de Authentik - `NUXT_OAUTH_AUTHENTIK_SERVER_URL` - URL pública de Authentik
- `NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL` - URL interna de Authentik - `NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL` - URL interna de Authentik (para comunicación server-side)
- `NUXT_OAUTH_AUTHENTIK_REDIRECT_URL` - URL de callback OAuth - `NUXT_OAUTH_AUTHENTIK_REDIRECT_URL` - URL de callback OAuth (ej: `https://miapp.ejemplo.com/auth/callback`)
- `NUXT_PUBLIC_APP_URL` - URL pública de la app - `NUXT_PUBLIC_APP_URL` - URL pública de la app
📄 Ver ejemplo completo en [`.env.example`](.env.example)
## Licencia ## Licencia
MIT MIT

29
docker-compose.yml
View File

@@ -2,31 +2,42 @@ version: '3.8'
services: services:
app: app:
image: ${REG}/plantilla-nuxt-authentik:latest image: ${REG}/${APP_NAME}:latest
container_name: plantilla-nuxt-authentik container_name: ${APP_NAME}
restart: unless-stopped restart: unless-stopped
ports:
- "3000:3000"
environment: environment:
# Node Environment
- NODE_ENV=production - NODE_ENV=production
- NUXT_HOST=0.0.0.0 - NUXT_HOST=0.0.0.0
- NUXT_PORT=3000 - NUXT_PORT=3000
# OAuth Authentik configuration # OAuth Authentik
- NUXT_OAUTH_AUTHENTIK_CLIENT_ID=${NUXT_OAUTH_AUTHENTIK_CLIENT_ID} - NUXT_OAUTH_AUTHENTIK_CLIENT_ID=${NUXT_OAUTH_AUTHENTIK_CLIENT_ID}
- NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET=${NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET} - NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET=${NUXT_OAUTH_AUTHENTIK_CLIENT_SECRET}
- NUXT_OAUTH_AUTHENTIK_SERVER_URL=${NUXT_OAUTH_AUTHENTIK_SERVER_URL} - NUXT_OAUTH_AUTHENTIK_SERVER_URL=${NUXT_OAUTH_AUTHENTIK_SERVER_URL}
- NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL=${NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL} - NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL=${NUXT_OAUTH_AUTHENTIK_SERVER_URL_INTERNAL}
- NUXT_OAUTH_AUTHENTIK_REDIRECT_URL=${NUXT_OAUTH_AUTHENTIK_REDIRECT_URL} - NUXT_OAUTH_AUTHENTIK_REDIRECT_URL=${NUXT_OAUTH_AUTHENTIK_REDIRECT_URL}
# Public URL
- NUXT_PUBLIC_APP_URL=${NUXT_PUBLIC_APP_URL} - NUXT_PUBLIC_APP_URL=${NUXT_PUBLIC_APP_URL}
# Session Secret
- NUXT_SESSION_PASSWORD=${NUXT_SESSION_PASSWORD} - NUXT_SESSION_PASSWORD=${NUXT_SESSION_PASSWORD}
networks: networks:
- principal - principal
labels: labels:
# Traefik labels
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.plantilla-nuxt.rule=Host(`${APP_DOMAIN}`)" - "traefik.docker.network=principal"
- "traefik.http.routers.plantilla-nuxt.entrypoints=websecure"
- "traefik.http.routers.plantilla-nuxt.tls.certresolver=letsencrypt" # HTTP Router
- "traefik.http.services.plantilla-nuxt.loadbalancer.server.port=3000" - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)"
- "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
- "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
# Service
- "traefik.http.services.${APP_NAME}.loadbalancer.server.port=3000"
# Middleware (headers para proxy)
- "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-headers"
- "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
networks: networks:
principal: principal: