services:
  db:
    image: postgres@sha256:035b9ab53cfa147d7202b61f5f7782b939ae815b7d6bc81c96b7b42ff1fca950
    container_name: authentik-db
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${PG_DB}
      POSTGRES_USER: ${PG_USER}
      POSTGRES_PASSWORD_FILE: /run/secrets/pg_pass
    volumes:
      - authentik_database:/var/lib/postgresql/data
    networks:
      - authentik_internal
    secrets:
      - pg_pass
    healthcheck:
      interval: 30s
      retries: 5
      start_period: 20s
      test:
        - CMD-SHELL
        - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
      timeout: 5s
  server:
    image: ghcr.io/goauthentik/server:2025.12.4@sha256:61eb50cfededf2ecc0ef483b497746db96d18934d440d7d55f6baa41977d8e85
    container_name: authentik-server
    restart: unless-stopped
    command: server
    depends_on:
      db:
        condition: service_healthy
    env_file:
      - .env
    environment:
      AUTHENTIK_POSTGRESQL__HOST: db
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB}
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
      AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/pg_pass
      AUTHENTIK_SECRET_KEY: file:///run/secrets/authentik_secret_key
    volumes:
      - authentik_data:/data
    networks:
      - authentik_internal
      - homelab_apps
    secrets:
      - pg_pass
      - authentik_secret_key
    labels:
      - traefik.enable=true
      - traefik.docker.network=homelab_apps
      - traefik.http.routers.authentik.rule=Host(`${AUTHENTIK_DOMAIN}`)
      - traefik.http.routers.authentik.entrypoints=websecure
      - traefik.http.routers.authentik.tls=true
      - traefik.http.routers.authentik.tls.certresolver=le
      - traefik.http.services.authentik.loadbalancer.server.port=9000
  worker:
    image: ghcr.io/goauthentik/server:2025.12.4@sha256:61eb50cfededf2ecc0ef483b497746db96d18934d440d7d55f6baa41977d8e85
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    depends_on:
      db:
        condition: service_healthy
    env_file:
      - .env
    environment:
      AUTHENTIK_POSTGRESQL__HOST: db
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB}
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
      AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/pg_pass
      AUTHENTIK_SECRET_KEY: file:///run/secrets/authentik_secret_key
    volumes:
      - authentik_data:/data
    networks:
      - authentik_internal
    secrets:
      - pg_pass
      - authentik_secret_key
volumes:
  authentik_database:
    driver: local
  authentik_data:
    driver: local
networks:
  authentik_internal:
    internal: true
  homelab_apps:
    external: true
secrets:
  pg_pass:
    environment: AUTHENTIK_PG_PASS
  authentik_secret_key:
    environment: AUTHENTIK_SECRET_KEY