pomerium/docs/examples/gitlab.docker-compose.yml

version: "3"

services:
  # NGINX routes to pomerium's services depending on the request.
  nginx:
    image: jwilder/nginx-proxy:latest
    ports:
      - "443:443"
    volumes:
      # NOTE!!! : nginx must be supplied with your wildcard certificates. And it expects
      # it in the format of whatever your wildcard domain name is in.
      # see : https://github.com/jwilder/nginx-proxy#wildcard-certificates
      # So, if your subdomain is corp.beyondperimeter.com, you'd have the following :
      - ./cert.pem:/etc/nginx/certs/corp.beyondperimeter.com.crt:ro
      - ./privkey.pem:/etc/nginx/certs/corp.beyondperimeter.com.key:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro

  pomerium-authenticate:
    build: .
    restart: always
    depends_on:
      - "gitlab"
    environment:
      - POMERIUM_DEBUG=true
      - SERVICES=authenticate
      # auth settings
      - REDIRECT_URL=https://sso-auth.corp.beyondperimeter.com/oauth2/callback
      - IDP_PROVIDER="gitlab"
      - IDP_PROVIDER_URL=https://gitlab.corp.beyondperimeter.com
      - IDP_CLIENT_ID=022dbbd09402441dc7af1924b679bc5e6f5bf0d7a555e55b38c51e2e4e6cee76
      - IDP_CLIENT_SECRET=fb7598c520c346915ee369eee57688938fe4f31329a308c4669074da562714b2
      - PROXY_ROOT_DOMAIN=beyondperimeter.com
      - ALLOWED_DOMAINS=*
      - SKIP_PROVIDER_BUTTON=false
      # shared service settings
      # Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
      - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
      - VIRTUAL_PROTO=https
      - VIRTUAL_HOST=sso-auth.corp.beyondperimeter.com
      - VIRTUAL_PORT=443
    volumes: # volumes is optional; used if passing certificates as files
      - ./cert.pem:/pomerium/cert.pem:ro
      - ./privkey.pem:/pomerium/privkey.pem:ro
    expose:
      - 443

  pomerium-proxy:
    build: .
    restart: always
    environment:
      - POMERIUM_DEBUG=true
      - SERVICES=proxy
      # proxy settings
      - AUTHENTICATE_SERVICE_URL=https://sso-auth.corp.beyondperimeter.com
      - ROUTES=https://httpbin.corp.beyondperimeter.com=http://httpbin,https://hello.corp.beyondperimeter.com=http://hello-world/
      # Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
      - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
      - SIGNING_KEY=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU0zbXBaSVdYQ1g5eUVneFU2czU3Q2J0YlVOREJTQ0VBdFFGNWZVV0hwY1FvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFaFBRditMQUNQVk5tQlRLMHhTVHpicEVQa1JyazFlVXQxQk9hMzJTRWZVUHpOaTRJV2VaLwpLS0lUdDJxMUlxcFYyS01TYlZEeXI5aWp2L1hoOThpeUV3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
      # nginx settings
      - VIRTUAL_PROTO=https
      - VIRTUAL_HOST=*.corp.beyondperimeter.com
      - VIRTUAL_PORT=443
    volumes: # volumes is optional; used if passing certificates as files
      - ./cert.pem:/pomerium/cert.pem:ro
      - ./privkey.pem:/pomerium/privkey.pem:ro
    expose:
      - 443

  # https://httpbin.corp.beyondperimeter.com
  httpbin:
    image: kennethreitz/httpbin:latest
    expose:
      - 80
  # https://hello.corp.beyondperimeter.com
  hello-world:
    image: tutum/hello-world:latest
    expose:
      - 80
  gitlab:
    hostname: gitlab.corp.beyondperimeter.com
    image: gitlab/gitlab-ce:latest
    restart: always
    expose:
      - 443
      - 80
      - 22
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.corp.beyondperimeter.com'
        nginx['ssl_certificate'] = '/etc/gitlab/trusted-certs/corp.beyondperimeter.com.crt'
        nginx['ssl_certificate_key'] = '/etc/gitlab/trusted-certs/corp.beyondperimeter.com.key'
      VIRTUAL_PROTO: https
      VIRTUAL_HOST: gitlab.corp.beyondperimeter.com
      VIRTUAL_PORT: 443
    volumes:
      - ./cert.pem:/etc/gitlab/trusted-certs/corp.beyondperimeter.com.crt
      - ./privkey.pem:/etc/gitlab/trusted-certs/corp.beyondperimeter.com.key
      - $HOME/gitlab/config:/etc/gitlab
      - $HOME/gitlab/logs:/var/log/gitlab
      - $HOME/gitlab/data:/var/opt/gitlab