services: automatisch-db: image: postgres:16-alpine container_name: automatisch-db restart: unless-stopped environment: POSTGRES_DB: automatisch POSTGRES_USER: automatisch POSTGRES_PASSWORD: "{{ automatisch_db_password }}" volumes: - {{ automatisch_data_dir }}/db:/var/lib/postgresql/data networks: - internal logging: driver: gelf options: gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}" tag: "automatisch-db" automatisch-redis: image: redis:7-alpine container_name: automatisch-redis restart: unless-stopped networks: - internal logging: driver: gelf options: gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}" tag: "automatisch-redis" automatisch: image: automatischio/automatisch:{{ automatisch_version }} container_name: automatisch restart: unless-stopped depends_on: - automatisch-db - automatisch-redis environment: HOST: "{{ automatisch_domain }}" PROTOCOL: https PORT: "3000" APP_ENV: production POSTGRES_HOST: automatisch-db POSTGRES_PORT: "5432" POSTGRES_DATABASE: automatisch POSTGRES_USERNAME: automatisch POSTGRES_PASSWORD: "{{ automatisch_db_password }}" REDIS_HOST: automatisch-redis REDIS_PORT: "6379" ENCRYPTION_KEY: "{{ automatisch_encryption_key }}" WEBHOOK_SECRET_KEY: "{{ automatisch_webhook_secret_key }}" APP_SECRET_KEY: "{{ automatisch_app_secret_key }}" SMTP_HOST: "{{ smtp_host }}" SMTP_PORT: "{{ smtp_port }}" SMTP_USER: "{{ smtp_user }}" SMTP_PASSWORD: "{{ smtp_password }}" FROM_EMAIL: "{{ smtp_from }}" TELEMETRY_ENABLED: "false" volumes: - {{ automatisch_data_dir }}/storage:/automatisch/packages/backend/storage labels: - "traefik.enable=true" - "traefik.http.routers.automatisch.rule=Host(`{{ automatisch_domain }}`)" - "traefik.http.routers.automatisch.tls=true" - "traefik.http.routers.automatisch.tls.certresolver=letsencrypt" - "traefik.http.routers.automatisch.middlewares=automatisch-auth@docker" - "traefik.http.services.automatisch.loadbalancer.server.port=3000" # Authentik forward auth — protects the entire app with Authentik SSO. # Pre-requisite: create a Proxy Provider (Forward Auth, single application) # in Authentik pointing to https://{{ automatisch_domain }}, then add it # to the embedded outpost. - "traefik.http.middlewares.automatisch-auth.forwardauth.address=https://{{ authentik_domain }}/outpost.goauthentik.io/auth/traefik" - "traefik.http.middlewares.automatisch-auth.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.automatisch-auth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version" networks: - internal - {{ sovereign_network_name }} logging: driver: gelf options: gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}" tag: "automatisch" automatisch-worker: image: automatischio/automatisch:{{ automatisch_version }} container_name: automatisch-worker restart: unless-stopped depends_on: - automatisch environment: WORKER: "true" HOST: "{{ automatisch_domain }}" PROTOCOL: https APP_ENV: production POSTGRES_HOST: automatisch-db POSTGRES_PORT: "5432" POSTGRES_DATABASE: automatisch POSTGRES_USERNAME: automatisch POSTGRES_PASSWORD: "{{ automatisch_db_password }}" REDIS_HOST: automatisch-redis REDIS_PORT: "6379" ENCRYPTION_KEY: "{{ automatisch_encryption_key }}" WEBHOOK_SECRET_KEY: "{{ automatisch_webhook_secret_key }}" APP_SECRET_KEY: "{{ automatisch_app_secret_key }}" TELEMETRY_ENABLED: "false" volumes: - {{ automatisch_data_dir }}/storage:/automatisch/packages/backend/storage networks: - internal logging: driver: gelf options: gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}" tag: "automatisch-worker" networks: internal: {{ sovereign_network_name }}: external: true