ChristianLempa_Boilerplates/library/compose/authentik/compose.yaml.j2

---
services:
  {{ service_name }}:
    image: ghcr.io/goauthentik/server:2025.12.4
    restart: {{ restart_policy }}
    command: server
    environment:
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
      - AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting }}
      - AUTHENTIK_POSTGRESQL__HOST={{ service_name }}_postgres
      - AUTHENTIK_POSTGRESQL__USER={{ database_user }}
      - AUTHENTIK_POSTGRESQL__NAME={{ database_name }}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${DATABASE_PASSWORD}
      {% if email_enabled %}
      - AUTHENTIK_EMAIL__HOST={{ email_host }}
      - AUTHENTIK_EMAIL__PORT={{ email_port }}
      - AUTHENTIK_EMAIL__FROM={{ email_from }}
      - AUTHENTIK_EMAIL__USERNAME={{ email_username }}
      - AUTHENTIK_EMAIL__PASSWORD=${EMAIL_PASSWORD}
      {% if email_encryption == "ssl" %}
      - AUTHENTIK_EMAIL__USE_SSL=True
      {% elif email_encryption == "starttls" %}
      - AUTHENTIK_EMAIL__USE_TLS=True
      {% endif %}
      {% endif %}
    networks:
      {% if traefik_enabled %}
      - {{ traefik_network }}
      {% endif %}
      - {{ service_name }}_backend
    {% if not traefik_enabled %}
    ports:
      - "{{ ports_http }}:9000"
      - "{{ ports_https }}:9443"
    {% endif %}
    volumes:
      {% if volume_mode == 'mount' %}
      - {{ volume_mount_path }}/data:/data
      - {{ volume_mount_path }}/templates:/templates
      {% elif volume_mode == 'local' or volume_mode == 'nfs' %}
      - {{ service_name }}_data:/data
      - {{ service_name }}_templates:/templates
      {% endif %}
    {% if traefik_enabled %}
    labels:
      - traefik.enable=true
      - traefik.docker.network={{ traefik_network }}
      - traefik.http.services.{{ service_name }}_web.loadBalancer.server.port=9000
      - traefik.http.routers.{{ service_name }}_http.service={{ service_name }}_web
      - traefik.http.routers.{{ service_name }}_http.rule=Host(`{{ traefik_host }}.{{ traefik_domain }}`)
      - traefik.http.routers.{{ service_name }}_http.entrypoints=web
      - "traefik.http.middlewares.authentik.forwardauth.address=\
        http://{{ service_name }}:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=\
        X-authentik-username,\
        X-authentik-groups,\
        X-authentik-entitlements,\
        X-authentik-email,\
        X-authentik-name,\
        X-authentik-uid,\
        X-authentik-jwt,\
        X-authentik-meta-jwks,\
        X-authentik-meta-outpost,\
        X-authentik-meta-provider,\
        X-authentik-meta-app,\
        X-authentik-meta-version"
      {% if traefik_tls_enabled %}
      - traefik.http.routers.{{ service_name }}_https.service={{ service_name }}_web
      - traefik.http.routers.{{ service_name }}_https.rule=Host(`{{ traefik_host }}.{{ traefik_domain }}`)
      - traefik.http.routers.{{ service_name }}_https.entrypoints=websecure
      - traefik.http.routers.{{ service_name }}_https.tls=true
      - traefik.http.routers.{{ service_name }}_https.tls.certresolver={{ traefik_tls_certresolver }}
      {% endif %}
    {% endif %}
    {% if not database_external %}
    depends_on:
      - {{ service_name }}_postgres
    {% endif %}

  {#
    Authentik Worker: Background task processor
    Handles long-running tasks like email sending, cleanup jobs, and scheduled tasks
  #}
  {{ service_name }}_worker:
    image: ghcr.io/goauthentik/server:2025.12.4
    restart: {{ restart_policy }}
    command: worker
    environment:
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
      - AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting }}
      - AUTHENTIK_POSTGRESQL__HOST={{ service_name }}_postgres
      - AUTHENTIK_POSTGRESQL__USER={{ database_user }}
      - AUTHENTIK_POSTGRESQL__NAME={{ database_name }}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${DATABASE_PASSWORD}
      {% if email_enabled %}
      - AUTHENTIK_EMAIL__HOST={{ email_host }}
      - AUTHENTIK_EMAIL__PORT={{ email_port }}
      - AUTHENTIK_EMAIL__FROM={{ email_from }}
      - AUTHENTIK_EMAIL__USERNAME={{ email_username }}
      - AUTHENTIK_EMAIL__PASSWORD=${EMAIL_PASSWORD}
      {% if email_encryption == "ssl" %}
      - AUTHENTIK_EMAIL__USE_SSL=True
      {% elif email_encryption == "starttls" %}
      - AUTHENTIK_EMAIL__USE_TLS=True
      {% endif %}
      {% endif %}
      {% if authentik_admin_password %}
      - AUTHENTIK_BOOTSTRAP_PASSWORD=${AUTHENTIK_ADMIN_PASSWORD}
      {% endif %}
    user: root
    networks:
      - {{ service_name }}_backend
    volumes:
      {# the embedded outpost uses the docker socket to manage containers #}
      - /run/docker.sock:/run/docker.sock
      {% if volume_mode == 'mount' %}
      - {{ volume_mount_path }}/data:/data
      - {{ volume_mount_path }}/certs:/certs
      - {{ volume_mount_path }}/templates:/templates
      {% elif volume_mode == 'local' or volume_mode == 'nfs' %}
      - {{ service_name }}_data:/data
      - {{ service_name }}_certs:/certs
      - {{ service_name }}_templates:/templates
      {% endif %}
    {% if not database_external %}
    depends_on:
      - {{ service_name }}_postgres
    {% endif %}

  {#
    PostgreSQL database service
  #}
  {% if not database_external %}
  {{ service_name }}_postgres:
    image: docker.io/library/postgres:17.8
    restart: {{ restart_policy }}
    environment:
      - POSTGRES_USER={{ database_user }}
      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
      - POSTGRES_DB={{ database_name }}
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U {{ database_user }}"]
      start_period: 30s
      interval: 10s
      timeout: 10s
      retries: 5
    networks:
      - {{ service_name }}_backend
    volumes:
      {% if volume_mode == 'mount' %}
      - {{ volume_mount_path }}/postgres:/var/lib/postgresql/data
      {% elif volume_mode == 'local' or volume_mode == 'nfs' %}
      - {{ service_name }}_postgres:/var/lib/postgresql/data
      {% endif %}
  {% endif %}

{#
  Network definitions:
  - Backend network: Internal communication between services
  - Traefik network: External access via reverse proxy (always external)
#}
networks:
  {{ service_name }}_backend:
    driver: bridge
  {% if traefik_enabled %}
  {{ traefik_network }}:
    external: true
  {% endif %}

{#
  Volume definitions:
  - When volume_mode is 'local' (default): use docker-managed local volumes
  - When volume_mode is 'nfs': configure NFS-backed volumes
  - When volume_mode is 'mount': no volume definition needed (bind mounts used directly)
#}
{% if volume_mode == 'local' %}
volumes:
  {% if not database_external %}
  {{ service_name }}_postgres:
    driver: local
  {% endif %}
  {{ service_name }}_redis:
    driver: local
  {{ service_name }}_data:
    driver: local
  {{ service_name }}_certs:
    driver: local
  {{ service_name }}_templates:
    driver: local
{% elif volume_mode == 'nfs' %}
volumes:
  {% if not database_external %}
  {{ service_name }}_postgres:
    driver: local
    driver_opts:
      type: nfs
      o: addr={{ volume_nfs_server }},nfsvers=4,{{ volume_nfs_options }}
      device: ":{{ volume_nfs_path }}/postgres"
  {% endif %}
  {{ service_name }}_redis:
    driver: local
    driver_opts:
      type: nfs
      o: addr={{ volume_nfs_server }},nfsvers=4,{{ volume_nfs_options }}
      device: ":{{ volume_nfs_path }}/redis"
  {{ service_name }}_data:
    driver: local
    driver_opts:
      type: nfs
      o: addr={{ volume_nfs_server }},nfsvers=4,{{ volume_nfs_options }}
      device: ":{{ volume_nfs_path }}/data"
  {{ service_name }}_certs:
    driver: local
    driver_opts:
      type: nfs
      o: addr={{ volume_nfs_server }},nfsvers=4,{{ volume_nfs_options }}
      device: ":{{ volume_nfs_path }}/certs"
  {{ service_name }}_templates:
    driver: local
    driver_opts:  
      type: nfs
      o: addr={{ volume_nfs_server }},nfsvers=4,{{ volume_nfs_options }}
      device: ":{{ volume_nfs_path }}/templates"
{% endif %}