version: '3.2'

services:
  postgresql:
    image: postgres:12-alpine
    container_name: auth_postgres
    user: "{{ users.0.uid }}:{{ users.0.gid }}"
    volumes:
      - /etc/passwd:/etc/passwd:ro
      - /opt/appdata/authentik/postgresql:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD={{ secret_authentik.postgres.password }}
      - POSTGRES_USER={{ secret_authentik.postgres.user }}
      - POSTGRES_DB={{ secret_authentik.postgres.database }}
    networks:
      - auth

  redis:
    image: redis:alpine
    restart: unless-stopped
    networks:
      - auth

  server:
    image: ghcr.io/goauthentik/server:{{ AUTHENTIK_TAG }}
    restart: unless-stopped
    command: server
    user: "{{ users.0.uid }}:{{ users.0.gid }}"
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: {{ secret_authentik.postgres.user }}
      AUTHENTIK_POSTGRESQL__NAME: {{ secret_authentik.postgres.database }}
      AUTHENTIK_POSTGRESQL__PASSWORD: {{ secret_authentik.postgres.password }}
      AUTHENTIK_SECRET_KEY: {{ secret_authentik.secret_key }}
      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      # WORKERS: 2
    volumes:
      - /opt/appdata/authentik/media:/media
      - /opt/appdata/authentik/custom-templates:/templates
      - /opt/appdata/swag/config/geoip2db:/geoip:ro
    networks:
      - default
      - auth
    labels:
      - swag=enable
      - "swag_url=sso.{{ sl_domain }}"
      - swag_port=9443
      - swag_proto=https

  worker:
    image: ghcr.io/goauthentik/server:{{ AUTHENTIK_TAG }}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: {{ secret_authentik.postgres.user }}
      AUTHENTIK_POSTGRESQL__NAME: {{ secret_authentik.postgres.database }}
      AUTHENTIK_POSTGRESQL__PASSWORD: {{ secret_authentik.postgres.password }}
      AUTHENTIK_SECRET_KEY: {{ secret_authentik.secret_key }}
      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
    user: "{{ users.0.uid }}:{{ users.0.gid }}"
    volumes:
      - /opt/appdata/authentik/backups:/backups
      - /opt/appdata/authentik/certs:/certs
      - /opt/appdata/authentik/media:/media
      - /opt/appdata/authentik/custom-templates:/templates
      - /opt/appdata/swag/config/geoip2db:/geoip:ro
    networks:
      - auth

networks:
  default:
    external: true
    name: proxynet

  auth:
    internal: true
    name: auth