services:
  authentik-server:
    image: ghcr.io/goauthentik/server:2025.2.2
    container_name: authentik-server
    command: server
    environment:
      - AUTHENTIK_REDIS__HOST=authentik-redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik-postgres
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
      - AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL__HOST}
      - AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL__PORT}
      - AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL__USERNAME}
      - AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD}
      - AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL__USE_TLS}
      - AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL__USE_SSL}
      - AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL__TIMEOUT}
      - AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL__FROM}
    networks:
      - reverseproxy
      - authentik
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    depends_on:
      - authentik-postgres
      - authentik-redis
    restart: unless-stopped

  authentik-worker:
    image: ghcr.io/goauthentik/server:2025.2.2
    container_name: authentik-worker
    command: worker
    environment:
      - AUTHENTIK_REDIS__HOST=authentik-redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik-postgres
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
      - AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL__HOST}
      - AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL__PORT}
      - AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL__USERNAME}
      - AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD}
      - AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL__USE_TLS}
      - AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL__USE_SSL}
      - AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL__TIMEOUT}
      - AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL__FROM}
    networks:
      - reverseproxy
      - authentik
    user: root
    volumes:
      - /run/docker.sock:/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    depends_on:
      - authentik-postgres
      - authentik-redis
    restart: unless-stopped

  authentik-redis:
    image: docker.io/library/redis:7.4.2
    container_name: authentik-redis
    command: --save 60 1 --loglevel warning
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    networks:
      - authentik
    volumes:
      - ./redis:/data
    restart: unless-stopped

  authentik-postgres:
    image: docker.io/library/postgres:17.4
    container_name: authentik-postgres
    environment:
      - POSTGRES_USER=authentik
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_DB=authentik
      - TZ=${TZ}
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U "authentik"']
      start_period: 30s
      interval: 10s
      timeout: 10s
      retries: 5
    networks:
        - authentik
    volumes:
      - ./postgres:/var/lib/postgresql/data
    restart: unless-stopped
  
networks:
  authentik:
    name: authentik
  reverseproxy:
    external: true