version: '3'

services:
  postgresql:
    image: postgres:12-alpine
    container_name: authentik_postgres
    restart: "no"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    networks:
      - authentik
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=${PG_PASS}
      - POSTGRES_USER=${PG_USER:-authentik}
      - POSTGRES_DB=${PG_DB:-authentik}
    env_file:
      - .env

  redis:
    image: redis:alpine
    container_name: authentik_redis
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    networks:
      - authentik
    restart: "no"

  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.1}
    container_name: authentik_authentik
    logging:
      driver: loki
      options:
        loki-url: http://localhost:3100/loki/api/v1/push
        loki-batch-size: "50"
        loki-retries: "1"
        loki-timeout: "2s"
        keep-file: "true"
    networks:
      authentik:
      web:
        aliases:
          - authentik-server
    restart: "no"
    command: server
    environment:
      AUTHENTIK_HOST: http://authentik-server:9000
      AUTHENTIK_HOST_BROWSER: https://authentik.jafner.net
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ${DOCKER_DATA}/media:/media
      - ${DOCKER_DATA}/custom-templates:/templates
    env_file:
      - .env
    labels:
      traefik.http.routers.authentik.rule: Host(`authentik.jafner.net`)
      traefik.http.routers.authentik.tls.certresolver: lets-encrypt
      traefik.http.routers.authentik.middlewares: securityheaders@file
      traefik.http.services.authentik.loadbalancer.server.port: 9000

  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.1.3}
    container_name: authentik_worker
    logging:
      driver: loki
      options:
        loki-url: http://localhost:3100/loki/api/v1/push
        loki-batch-size: "50"
        loki-retries: "1"
        loki-timeout: "2s"
        keep-file: "true"
    restart: "no"
    networks:
      - authentik
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    user: root
    volumes:
      - ${DOCKER_DATA}/backups:/backups
      - ${DOCKER_DATA}/media:/media
      - ${DOCKER_DATA}/certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
      - ${DOCKER_DATA}/custom-templates:/templates
    env_file:
      - .env
    labels:
      traefik.enable: false

volumes:
  database:
    driver: local

networks:
  authentik:
  web:
    external: true