services:
  server:
    image: ghcr.io/goauthentik/server:2025.12.4@sha256:61eb50cfededf2ecc0ef483b497746db96d18934d440d7d55f6baa41977d8e85
    container_name: authentik-server
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_POSTGRESQL__HOST: postgres
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/authentik_postgres_password
      AUTHENTIK_SECRET_KEY: file:///run/secrets/authentik_secret_key
    volumes:
      - authentik_data:/data
    networks:
      - homelab_apps
      - homelab_db
    secrets:
      - authentik_postgres_password
      - authentik_secret_key
    labels:
      - traefik.enable=true
      - traefik.docker.network=homelab_apps
      - traefik.http.routers.authentik.rule=Host(`${AUTHENTIK_DOMAIN}`)
      - traefik.http.routers.authentik.entrypoints=websecure
      - traefik.http.routers.authentik.tls=true
      - traefik.http.routers.authentik.tls.certresolver=le
      - traefik.http.services.authentik.loadbalancer.server.port=9000
  worker:
    image: ghcr.io/goauthentik/server:2025.12.4@sha256:61eb50cfededf2ecc0ef483b497746db96d18934d440d7d55f6baa41977d8e85
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_POSTGRESQL__HOST: postgres
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/authentik_postgres_password
      AUTHENTIK_SECRET_KEY: file:///run/secrets/authentik_secret_key
    volumes:
      - authentik_data:/data
    networks:
      - homelab_db
    secrets:
      - authentik_postgres_password
      - authentik_secret_key
volumes:
  authentik_data:
    driver: local
networks:
  homelab_apps:
    external: true
  homelab_db:
    external: true
secrets:
  authentik_postgres_password:
    environment: AUTHENTIK_POSTGRES_PASSWORD
  authentik_secret_key:
    environment: AUTHENTIK_SECRET_KEY