authentik.yml

---
version: "1"

services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - auth-database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: {{DB_PASS}}
      POSTGRES_USER: authentik
      POSTGRES_DB: authentik
    networks:
      - {{SECURENETWORK}}
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - auth-redis:/data
    networks:
      - {{SECURENETWORK}}
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.5.3}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: {{DB_PASS}}
      AUTHENTIK_SECRET_KEY: {{AUTHENTIK_SECRET_KEY}}
    volumes:
      - auth-appdata:/media
      - auth-appdata:/templates
    ports:
      - "{{AUTH_PORT_HTTP}}:9000"
      - "{{AUTH_PORT_HTTPS}}:9443"
    depends_on:
      - postgresql
      - redis
    networks:
      - {{SECURENETWORK}}
      - {{PROXYNETWORK}}
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.5.3}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: {{DB_PASS}}
      AUTHENTIK_SECRET_KEY: {{AUTHENTIK_SECRET_KEY}}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - auth-appdata:/media
      - auth-appdata:/certs
      - auth-appdata:/templates
    depends_on:
      - postgresql
      - redis
    networks:
      - {{SECURENETWORK}}
      - {{PROXYNETWORK}}

volumes:
  auth-database:
    driver: local
  auth-redis:
    driver: local
  auth-appdata:
    driver: local


networks:
  {{PROXYNETWORK}}:
    driver: bridge
    external: true
  {{SECURENETWORK}}:
    driver: bridge
    external: true