Docker Compose with Dex Identity Provider
This guide will show you how-to self-host dboxed with dex as the Identity Provider.
The strength of Dex is its simplicity, allowing you to fully configure it via a config file. It can also be configured to provide statically configured users, which is good enough for many homelab setups.
Requirements
You’ll need a few things for this guide:
- A publicly reachable server (e.g., a Hetzner cloud server) with ports 80 and 443 open.
- A public DNS entry pointing to the public IP of your server
Variables
The configuration files in this guide use multiple variables. Create the following file and set appropriate values for each variable:
dboxed.env
# Set it to the DNS entry that point to the public IP of your server.
DBOXED_HOSTNAME="dboxed.example.com"
# Set it to the admin username that you want to use. Simply setting it to "admin" should be good enough.
ADMIN_USERNAME="admin"
# Set it to the admin email that you want to use.
ADMIN_EMAIL="admin@example.com"
# Set this to the bcrypt hash of the desired password. Can be generated with:
# > echo my-secret-password | htpasswd -BinC 10 admin | cut -d: -f2`
# Make sure to replace "my-secret-password" with a real password.
ADMIN_PASSWORD_HASH="$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"Preparing configuration files
Create the following 3 files:
dex-config.yaml
issuer: https://${DBOXED_HOSTNAME}/dex
storage:
type: sqlite3
config:
file: /data/dex.db
web:
http: 0.0.0.0:5556
staticClients:
- id: dboxed
public: true
redirectURIs:
- 'https://${DBOXED_HOSTNAME}/'
name: 'dboxed'
enablePasswordDB: true
staticPasswords:
- email: "${ADMIN_EMAIL}"
hash: "${ADMIN_PASSWORD_HASH}"
username: "${ADMIN_USERNAME}"dboxed-config.yaml
instanceName: dboxed-example
db:
url: sqlite3:///data/db.sqlite
migrate: true
auth:
oidc:
issuerUrl: "https://${DBOXED_HOSTNAME}/dex"
clientId: "dboxed"
adminUsers:
- username: "${ADMIN_EMAIL}"
server:
listenAddress: "0.0.0.0:5000"
baseUrl: "https://${DBOXED_HOSTNAME}"
defaultWorkspaceQuotas:
maxLogBytes: 100Midocker-compose.yaml
services:
configs:
image: alpine
command:
- sh
- -c
- |
set -e
apk add envsubst
for i in $$(ls /templates); do
echo $$i
cat /templates/$$i | envsubst > /configs/$$i
done
volumes:
- ./dex-config.yaml:/templates/dex-config.yaml
- ./dboxed-config.yaml:/templates/dboxed-config.yaml
- configs:/configs
env_file:
- ./.env
traefik:
image: "traefik:v3.5"
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- dboxed
command:
- "--api.insecure=false"
- "--api.dashboard=false"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--providers.docker.network=dboxed"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
ports:
- "80:80"
- "443:443"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "letsencrypt_data:/letsencrypt"
dex-init-volume:
image: alpine
command:
- sh
- -c
- |
chown 1001:1001 /data
volumes:
- dex_data:/data
dex:
image: dexidp/dex
restart: unless-stopped
depends_on:
- dex-init-volume
- configs
command:
- dex
- serve
- /configs/dex-config.yaml
networks:
- dboxed
volumes:
- dex_data:/data
- configs:/configs
labels:
- "traefik.enable=true"
- "traefik.http.routers.dex.rule=PathPrefix(`/dex`)"
- "traefik.http.routers.dex.entrypoints=websecure"
- "traefik.http.routers.dex.tls.certresolver=myresolver"
- "traefik.http.routers.dex.tls.domains[0].main=${DBOXED_HOSTNAME}"
- "traefik.http.services.dex.loadbalancer.server.port=5556"
dboxed-api:
image: ghcr.io/dboxed/dboxed:latest
restart: unless-stopped
networks:
- dboxed
depends_on:
- configs
command:
- server
- run
- api
- --config
- /configs/dboxed-config.yaml
volumes:
- dboxed_server_db:/data
- configs:/configs
labels:
- "traefik.enable=true"
- "traefik.http.routers.dboxed-api.rule=PathPrefix(`/v1`)"
- "traefik.http.routers.dboxed-api.entrypoints=websecure"
- "traefik.http.routers.dboxed-api.tls.certresolver=myresolver"
- "traefik.http.services.dboxed-api.loadbalancer.server.port=5000"
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
dboxed-reconcilers:
image: ghcr.io/dboxed/dboxed:latest
restart: unless-stopped
networks:
- dboxed
command:
- server
- run
- reconcilers
- --config
- /configs/dboxed-config.yaml
volumes:
- dboxed_server_db:/data
- configs:/configs
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
dboxed-frontend:
image: ghcr.io/dboxed/dboxed-frontend:latest
restart: unless-stopped
networks:
- dboxed
environment:
- VITE_API_URL=https://${DBOXED_HOSTNAME}
- VITE_API_URL_PUBLIC=https://${DBOXED_HOSTNAME}
- VITE_OIDC_ISSUER_URL=https://${DBOXED_HOSTNAME}/dex
- VITE_OIDC_CLIENT_ID=dboxed
- VITE_OIDC_SCOPE=openid profile email offline_access
labels:
- "traefik.enable=true"
- "traefik.http.routers.dboxed-frontend.rule=!PathPrefix(`/v1`) && !PathPrefix(`/dex`)"
- "traefik.http.routers.dboxed-frontend.entrypoints=websecure"
- "traefik.http.routers.dboxed-frontend.tls.certresolver=myresolver"
- "traefik.http.services.dboxed-frontend.loadbalancer.server.port=80"
logging:
driver: "json-file"
options:
max-size: "500m"
max-file: "2"
networks:
dboxed:
name: dboxed
volumes:
configs: {}
letsencrypt_data: {}
dex_data: {}
dboxed_server_db: {}Deploying
To start dboxed, run:
docker volume up -dAccessing dboxed
To access your freshly installed instance of dboxed, access the URL at https://DBOXED_HOSTNAME.
Of course, you’ll have to replace DBOXED_HOSTNAME with the host name you chose at the beginning.
Last updated on