---
services:
  server:
    image: ghcr.io/goauthentik/server:2025.6.2
    container_name: authentik-server
    command: server
    environment:
      - AUTHENTIK_REDIS__HOST=authentik-redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik-db
      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER:-authentik}
      - AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB:-authentik}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD:?error}
      # (Required)  To generate a secret key run the following command:
      #             echo $(openssl rand -base64 32)
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY:?error}
      # (Optional)  Enable Error Reporting
      - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING:-false}
      # (Optional)  Enable Email Sending
      #             Highly recommended to notify you about alerts and configuration issues.
      - AUTHENTIK_EMAIL__HOST=${EMAIL_HOST:?error}
      - AUTHENTIK_EMAIL__PORT=${EMAIL_PORT:-25}
      - AUTHENTIK_EMAIL__USERNAME=${EMAIL_USERNAME:?error}
      - AUTHENTIK_EMAIL__PASSWORD=${EMAIL_PASSWORD:?error}
      - AUTHENTIK_EMAIL__USE_TLS=${EMAIL_USE_TLS:-false}
      - AUTHENTIK_EMAIL__USE_SSL=${EMAIL_USE_SSL:-false}
      - AUTHENTIK_EMAIL__TIMEOUT=${EMAIL_TIMEOUT:-10}
      - AUTHENTIK_EMAIL__FROM=${EMAIL_FROM:?error}
    ports:
      # (Optional)  Remove these, if you're using a reverse proxy like Traefik.
      - 9000:9000
      - 9443:9443
    labels:
      # (Optional)  Enable Traefik integration for the Authentik Web UI. For more information
      #             about integrating other services with Traefik and Authentik, see the
      #             documentation at https://goauthentik.io/docs/outposts/integrations/traefik
      #             and the middleware example files in `docker-compose/traefik/config`.
      - traefik.enable=true
      - traefik.http.services.authentik.loadbalancer.server.port=9000
      - traefik.http.services.authentik.loadbalancer.server.scheme=http
      - traefik.http.routers.authentik.entrypoints=websecure
      - traefik.http.routers.authentik.rule=Host(`your-authentik-fqdn`)
      - traefik.http.routers.authentik.tls=true
      - traefik.http.routers.authentik.tls.certresolver=cloudflare
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    depends_on:
      - postgres
      - redis
    restart: unless-stopped

  worker:
    image: ghcr.io/goauthentik/server:2025.6.2
    container_name: authentik-worker
    command: worker
    environment:
      - AUTHENTIK_REDIS__HOST=authentik-redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik-db
      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER:-authentik}
      - AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB:-authentik}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD:?error}
      # (Required)  To generate a secret key run the following command:
      #             echo $(openssl rand -base64 32)
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY:?error}
      # (Optional)  Enable Error Reporting
      - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING:-false}
      # (Optional)  Enable Email Sending
      #             Highly recommended to notify you about alerts and configuration issues.
      - AUTHENTIK_EMAIL__HOST=${EMAIL_HOST:?error}
      - AUTHENTIK_EMAIL__PORT=${EMAIL_PORT:-25}
      - AUTHENTIK_EMAIL__USERNAME=${EMAIL_USERNAME:?error}
      - AUTHENTIK_EMAIL__PASSWORD=${EMAIL_PASSWORD:?error}
      - AUTHENTIK_EMAIL__USE_TLS=${EMAIL_USE_TLS:-false}
      - AUTHENTIK_EMAIL__USE_SSL=${EMAIL_USE_SSL:-false}
      - AUTHENTIK_EMAIL__TIMEOUT=${EMAIL_TIMEOUT:-10}
      - AUTHENTIK_EMAIL__FROM=${EMAIL_FROM:?error}
    # (Optional)  See more for the docker socket integration here:
    #             https://goauthentik.io/docs/outposts/integrations/docker
    user: root
    volumes:
      - /run/docker.sock:/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    depends_on:
      - postgres
      - redis
    restart: unless-stopped

  redis:
    image: docker.io/library/redis:8.0.2
    container_name: authentik-redis
    command: --save 60 1 --loglevel warning
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis_data:/data
    restart: unless-stopped

  postgres:
    # (Optional) Add a PostgreSQL Database for Authentik
    #   Alternatively, you can host your PostgreSQL database externally, and
    #   change the connection settings in the `authentik-server` and
    #   `authentik-worker`.
    image: docker.io/library/postgres:17.5
    container_name: authentik-db
    environment:
      - POSTGRES_USER=${POSTGRES_USER:-authentik}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?error}
      - POSTGRES_DB=${POSTGRES_DB:-authentik}
      - TZ=${TZ:-UTC}
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U "${POSTGRES_USER:-authentik}"']
      start_period: 30s
      interval: 10s
      timeout: 10s
      retries: 5
    volumes:
      - postgres_data:/var/lib/postgresql/data
    restart: unless-stopped

volumes:
  postgres_data:
    driver: local
  redis_data:
    driver: local