services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    security_opt:
      - apparmor:unconfined
    container_name: authentik-postgresql
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - /docker/appdata/authentik-postgresql:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_DB=${POSTGRES_DB}
    networks:
      - backend

  redis:
    image: docker.io/library/redis:alpine
    security_opt:
      - apparmor:unconfined
    container_name: authentik-redis
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - /docker/appdata/authentik-redis:/data
    networks:
      - backend

  server:
    image: ghcr.io/goauthentik/server:2024.2.2
    security_opt:
      - apparmor:unconfined
    container_name: authentik-server
    restart: unless-stopped
    command: server
    environment:
      - AUTHENTIK_REDIS__DB=1
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
      - AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
      - AUTHENTIK_ERROR_REPORTING__ENABLED=true
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
    volumes:
      - /docker/appdata/authentik/media:/media
      - /docker/appdata/authentik/custom-templates:/templates
    labels:
      - traefik.enable=true
      - traefik.http.routers.authentik.rule=Host(`example.domain.com`)
      - traefik.http.routers.authentik.entrypoints=websecure
      - traefik.http.routers.authentik.tls=true
      - traefik.http.routers.authentik.service=authentik
      - traefik.http.routers.authentik.tls.certresolver=production
      - traefik.http.services.authentik.loadBalancer.server.port=9000
    depends_on:
      - postgresql
      - redis
    networks:
      - backend
      - frontend

  worker:
    image: ghcr.io/goauthentik/server:2024.2.2
    security_opt:
      - apparmor:unconfined
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    environment:
      - AUTHENTIK_REDIS__DB=1
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
      - AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
      - AUTHENTIK_ERROR_REPORTING__ENABLED=true
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /docker/appdata/authentik/media:/media
      - /docker/appdata/authentik/certs:/certs
      - /docker/appdata/authentik/custom-templates:/templates
    depends_on:
      - postgresql
      - redis
    networks:
      - backend

volumes:
  database:
    driver: local
  redis:
    driver: local

networks:
  frontend:
    external: true
  backend:
    external: true