---
services:
  postgresql:
    image: docker.io/library/postgres:${AUTHENTIK_POSTGRESQL_VERSION:-16}
    container_name: authentik-db
    restart: unless-stopped
    env_file:
      - .env
    networks:
      - authentik
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:?database password required}
      POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
      POSTGRES_DB: ${AUTHENTIK_POSTGRES_DATABASE:-authentik}

  redis:
    image: docker.io/library/redis:${AUTHENTIK_REDIS_VERSION:-alpine}
    container_name: authentik-redis
    restart: unless-stopped
    command: --save 60 1 --loglevel warning
    volumes:
      - redis:/data
    networks:
      - authentik
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s

  server:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION:-2024.12.3}
    container_name: authentik-server
    restart: unless-stopped
    command: server
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    networks:
      - traefik
      - authentik
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRES_DATABASE:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:?database password required}
    env_file:
      - .env
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.authentik.entrypoints=http"
      - "traefik.http.routers.authentik.rule=Host(`${AUTHENTIK_DOMAIN:?error}`)"
      - "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.authentik.middlewares=authentik-https-redirect"
      - "traefik.http.routers.authentik-secure.entrypoints=https"
      - "traefik.http.routers.authentik-secure.rule=Host(`${AUTHENTIK_DOMAIN:?error}`)"
      - "traefik.http.routers.authentik-secure.tls=true"
      - "traefik.http.routers.authentik-secure.service=authentik"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
    depends_on:
      postgresql:
        condition: service_healthy
      redis:
        condition: service_healthy

  worker:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION:-2024.12.3}
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    networks:
      - authentik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRES_DATABASE:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:?database password required}
    env_file:
      - .env
    depends_on:
      postgresql:
        condition: service_healthy
      redis:
        condition: service_healthy

volumes:
  database:
    driver: local
  redis:
    driver: local

networks:
  traefik:
    external: true
  authentik:
    driver: bridge