services:
  authentik-postgresql:
    image: docker.io/library/postgres:16-alpine
    container_name: authentik-postgresql
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      interval: 30s
      timeout: 5s
      retries: 5
    environment:
      POSTGRES_PASSWORD: "{{ authentik_db_password }}"
      POSTGRES_USER: authentik
      POSTGRES_DB: authentik
    volumes:
      - {{ authentik_data_dir }}/postgres:/var/lib/postgresql/data
    networks:
      - internal
    logging:
      driver: gelf
      options:
        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
        tag: "authentik-postgresql"

  authentik-redis:
    image: docker.io/library/redis:alpine
    container_name: authentik-redis
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      interval: 30s
      timeout: 3s
      retries: 5
    networks:
      - internal
    logging:
      driver: gelf
      options:
        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
        tag: "authentik-redis"

  authentik-server:
    image: ghcr.io/goauthentik/server:{{ authentik_version }}
    container_name: authentik-server
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: "{{ authentik_db_password }}"
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_SECRET_KEY: "{{ authentik_secret_key }}"
      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
      AUTHENTIK_EMAIL__HOST: "{{ smtp_host }}"
      AUTHENTIK_EMAIL__PORT: "{{ smtp_port }}"
      AUTHENTIK_EMAIL__USERNAME: "{{ smtp_user }}"
      AUTHENTIK_EMAIL__PASSWORD: "{{ smtp_password }}"
      AUTHENTIK_EMAIL__FROM: "{{ smtp_from }}"
      AUTHENTIK_EMAIL__USE_TLS: "true"
    volumes:
      - {{ authentik_data_dir }}/media:/media
      - {{ authentik_data_dir }}/custom-templates:/templates
      - {{ authentik_data_dir }}/blueprints:/blueprints/custom
      - {{ authentik_data_dir }}/certs:/certs
    ports:
      - "127.0.0.1:9001:9000"
    depends_on:
      - authentik-postgresql
      - authentik-redis
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.authentik.rule=Host(`{{ authentik_domain }}`)"
      - "traefik.http.routers.authentik.tls=true"
      - "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
    networks:
      - internal
      - {{ sovereign_network_name }}
    logging:
      driver: gelf
      options:
        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
        tag: "authentik-server"

  authentik-worker:
    image: ghcr.io/goauthentik/server:{{ authentik_version }}
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: "{{ authentik_db_password }}"
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_SECRET_KEY: "{{ authentik_secret_key }}"
      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
    volumes:
      - {{ authentik_data_dir }}/media:/media
      - {{ authentik_data_dir }}/certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
    depends_on:
      - authentik-postgresql
      - authentik-redis
    networks:
      - internal
    logging:
      driver: gelf
      options:
        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
        tag: "authentik-worker"

networks:
  internal:
  {{ sovereign_network_name }}:
    external: true