version: '3'

services:
  postgresql:
    image: postgres:12-alpine
    container_name: authentik_postgres
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    networks:
      - authentik
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=${PG_PASS}
      - POSTGRES_USER=${PG_USER:-authentik}
      - POSTGRES_DB=${PG_DB:-authentik}
    env_file:
      - .env

  redis:
    image: redis:alpine
    container_name: authentik_redis
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    networks:
      - authentik
    restart: unless-stopped

  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.1}
    container_name: authentik_authentik
    networks:
      authentik:
      web:
        aliases:
          - authentik-server
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_HOST: http://authentik-server:9000
      AUTHENTIK_HOST_BROWSER: https://authentik.jafner.net
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ${DOCKER_DATA}/media:/media
      - ${DOCKER_DATA}/custom-templates:/templates
    env_file:
      - .env
    labels:
      traefik.http.routers.authentik.priority: 1
      traefik.http.routers.authentik.rule: Host(`authentik.jafner.net`)
      traefik.http.routers.authentik.tls.certresolver: lets-encrypt
      traefik.http.services.authentik.loadbalancer.server.port: 9000
      traefik.http.middlewares.authentik.forwardauth.address: http://authentik:9000/outpost.goauthentik.io/auth/traefik
      traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
      traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version

  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.1.3}
    container_name: authentik_worker
    restart: unless-stopped
    networks:
      - authentik
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    user: root
    volumes:
      - ${DOCKER_DATA}/backups:/backups
      - ${DOCKER_DATA}/media:/media
      - ${DOCKER_DATA}/certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
      - ${DOCKER_DATA}/custom-templates:/templates
    env_file:
      - .env
    labels:
      traefik.enable: false

  adminer:
    image: adminer:4.8.1
    hostname: authentik_adminer
    container_name: adminer
    restart: unless-stopped
    ports:
      - 8686:8080
    networks:
      - authentik

volumes:
  database:
    driver: local

networks:
  authentik:
  web:
    external: true