homelab-infra/ops/restore-tests/authelia-compose.test.yml

services:
  restoretest-authelia-postgres:
    # Gleiche Major-Version wie shared PostgreSQL 18 in Produktion.
    image: postgres:18.4@sha256:8ff36f3c66371cba71d20ceedccfc3de9669a68737607888c4ef0af93abe8e39
    container_name: restoretest-authelia-postgres
    restart: "no"
    environment:
      TZ: Europe/Berlin
      POSTGRES_USER: authelia
      POSTGRES_DB: authelia
      POSTGRES_PASSWORD: restoretest-authelia-db
      PGDATA: /var/lib/postgresql/18/docker
    volumes:
      - /mnt/user/backups/restore-lab/authelia/postgres:/var/lib/postgresql
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U authelia -d authelia"]
      interval: 10s
      timeout: 5s
      retries: 10
    security_opt:
      - no-new-privileges:true

  restoretest-authelia:
    # Gleicher Image-Digest wie security/authelia/docker-compose.yml in Produktion.
    image: authelia/authelia:4.39.20@sha256:1b363e9279e742397966333f364e0876ae02bf5c876de73e83af6d48c57ff51b
    container_name: restoretest-authelia
    restart: "no"
    depends_on:
      restoretest-authelia-postgres:
        condition: service_healthy
    command:
      - authelia
      - --config=/config/configuration.yml
      - --config=/config/configuration.test-overlay.yml
    environment:
      TZ: Europe/Berlin
      # Wegwerf-Secrets nur fuer den isolierten Smoke. Niemals produktive
      # Authelia-Secrets in diesem Compose verwenden. Die produktiven
      # authelia_*_FILE-Mounts werden bewusst NICHT eingebunden.
      AUTHELIA_JWT_SECRET: restoretest-authelia-jwt-secret-placeholder-32bytes
      AUTHELIA_SESSION_SECRET: restoretest-authelia-session-secret-placeholder-32
      AUTHELIA_STORAGE_ENCRYPTION_KEY: restoretest-authelia-storage-enc-key-placeholder-32
      AUTHELIA_STORAGE_POSTGRES_PASSWORD: restoretest-authelia-db
      AUTHELIA_NOTIFIER_SMTP_PASSWORD: restoretest-authelia-smtp-placeholder
      # Die command:-Config laedt configuration.yml + Test-Overlay (zweite
      # Datei gewinnt bei Konflikt). Das Overlay zwingt storage/notifier/
      # session auf isolierte Test-Backends, damit kein produktives Postgres
      # erreicht und kein echter SMTP-Versand ausgeloest wird.
      AUTHELIA__SERVER__ADDRESS: tcp://0.0.0.0:9091
    volumes:
      - /mnt/user/backups/restore-lab/authelia/config:/config
    ports:
      # nur 127.0.0.1, keine Public-Route, keine Traefik-Labels
      - "127.0.0.1:19091:9091"
    security_opt:
      - no-new-privileges:true