Untitled

services:
  db:
    image: postgres:16-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:-authentik}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - ./.env
    networks:
      - default
  redis:
    image: redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
    networks:
      - default
  server:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION:-2024.4}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: db
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:-authentik}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    volumes:
      - media:/media
      - custom-templates:/templates
    env_file:
      - ./.env
    # ports:
    #   - "9000:9000"
    #   - "9443:9443"
    depends_on:
      - db
      - redis
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.rule=Host(`${AUTHENTIK_SUBDOMAIN}.${DOMAIN_NAME}`)"
      - "traefik.http.routers.authentik.entrypoints=securedweb"
      - "traefik.http.routers.authentik-outpost.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${DOMAIN_NAME}`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.routers.authentik-outpost.entrypoints=securedweb"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
    networks:
      - default
      - traefik_proxy
  worker:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION:-2024.4}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: db
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:-authentik}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - media:/media
      - certs:/certs
      - custom-templates:/templates
    env_file:
      - ./.env
    user: root
    depends_on:
      - db
      - redis
    networks:
      - default
  ldap:
    image: ghcr.io/goauthentik/ldap:${AUTHENTIK_VERSION:-2024.4}
    networks:
      - default
      - traefik_proxy
    environment:
        AUTHENTIK_HOST: https://${AUTHENTIK_SUBDOMAIN}.${DOMAIN_NAME}
        AUTHENTIK_INSECURE: false
        AUTHENTIK_TOKEN: ${AUTHENTIK_LDAP_TOKEN}
        #AUTHENTIK_LISTEN__LDAP: "0.0.0.0:389"
        #AUTHENTIK_LISTEN__LDAPS: "0.0.0.0:636"
    env_file:
        ./.env
    labels:
      - "io.goauthentik.outpost-uuid=219aeada-d950-4ac3-88a2-aaa56ad4d556"
      - "traefik.enable=true"
      - "traefik.tcp.routers.ak-outpost-ldap.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.ak-outpost-ldap.entrypoints=ldaps"
      # - "traefik.tcp.services.ak-outpost-ldap.loadbalancer.healthcheck.path=/outpost.goauthentik.io/ping"
      # - "traefik.tcp.services.ak-outpost-ldap.loadbalancer.healthcheck.port=9300"
      - "traefik.tcp.services.ak-outpost-ldap.loadbalancer.server.port=3389"
      - "traefik.tcp.routers.ak-outpost-ldap.tls.certResolver=wildcardresolver"
      - "traefik.tcp.routers.ak-outpost-ldap.tls=true"
      # - "traefik.tcp.routers.ak-outpost-ldap.tls.passthrough=false"

volumes:
  database:
  redis:
  media:
  custom-templates:
  certs:

networks:
  default:
  traefik_proxy:
    external: true