name: authentik services: server: image: ghcr.io/goauthentik/server:${VERSION:-2024.12.2} container_name: authentik_server depends_on: - db - redis command: server restart: unless-stopped volumes: - /srv/authentik/media:/media - /srv/authentik/custom-templates:/templates #ports: # - "${COMPOSE_PORT_HTTP:-7000}:9000" # - "${COMPOSE_PORT_HTTPS:-7443}:9443" networks: - internal - proxy environment: AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: db AUTHENTIK_POSTGRESQL__NAME: file:///run/secrets/db_name AUTHENTIK_POSTGRESQL__USER: file:///run/secrets/db_user AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/db_pass AUTHENTIK_SECRET_KEY: file:///run/secrets/secret secrets: - db_name - db_user - db_pass - secret worker: image: ghcr.io/goauthentik/server:${VERSION:-2024.12.2} container_name: authentik_worker depends_on: - db - redis command: worker restart: unless-stopped # `user: root` and the docker socket volume are optional. # See more for the docker socket integration here: # https://goauthentik.io/docs/outposts/integrations/docker # Removing `user: root` also prevents the worker from fixing the permissions # on the mounted folders, so when removing this make sure the folders have the correct UID/GID # (1000:1000 by default) user: authentik volumes: #- /var/run/docker.sock:/var/run/docker.sock - /srv/authentik/media:/media - /srv/authentik/certs:/certs - /srv/authentik/custom-templates:/templates networks: - internal environment: AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: db AUTHENTIK_POSTGRESQL__NAME: file:///run/secrets/db_name AUTHENTIK_POSTGRESQL__USER: file:///run/secrets/db_user AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/db_pass AUTHENTIK_SECRET_KEY: file:///run/secrets/secret AUTHENTIK_EMAIL__HOST: file:///run/secrets/mail_server AUTHENTIK_EMAIL__PORT: 587 AUTHENTIK_EMAIL__USERNAME: file:///run/secrets/mail_user AUTHENTIK_EMAIL__PASSWORD: file:///run/secrets/mail_pass AUTHENTIK_EMAIL__FROM: file:///run/secrets/mail_from AUTHENTIK_EMAIL__USE_TLS: true AUTHENTIK_EMAIL__USE_SSL: false AUTHENTIK_EMAIL__TIMEOUT: 10 secrets: - db_name - db_user - db_pass - secret - mail_user - mail_pass - mail_from - mail_server ldap: image: ghcr.io/goauthentik/ldap:${VERSION:-2024.12.2} container_name: authentik_ldap depends_on: - server - worker restart: unless-stopped ports: #- 389:3389 - 636:6636 networks: - internal environment: AUTHENTIK_HOST: https://server:9443 AUTHENTIK_INSECURE: "true" AUTHENTIK_TOKEN: file:///run/secrets/ldap_api_key docker_network: internal secrets: - ldap_api_key db: image: docker.io/library/postgres:16-alpine container_name: authentik_db restart: unless-stopped healthcheck: test: [ "CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`" ] start_period: 20s interval: 30s retries: 5 timeout: 5s volumes: - db:/var/lib/postgresql/data networks: - internal environment: POSTGRES_DB_FILE: /run/secrets/db_name POSTGRES_USER_FILE: /run/secrets/db_user POSTGRES_PASSWORD_FILE: /run/secrets/db_pass secrets: - db_name - db_user - db_pass redis: image: docker.io/library/redis:alpine container_name: authentik_redis command: --save 60 1 --loglevel warning restart: unless-stopped healthcheck: test: ["CMD-SHELL", "redis-cli ping | grep PONG"] start_period: 20s interval: 30s retries: 5 timeout: 3s volumes: - redis:/data networks: - internal volumes: db: driver: local name: authentik_db redis: driver: local name: authentik_redis networks: internal: name: authentik-internal proxy: name: proxy-authentik external: true secrets: db_name: file: /srv/docker/secrets/authentik/db/name.txt db_user: file: /srv/docker/secrets/authentik/db/user.txt db_pass: file: /srv/docker/secrets/authentik/db/pass.key secret: file: /srv/docker/secrets/authentik/keys/secret.key ldap_api_key: file: /srv/docker/secrets/authentik/keys/ldap_api.key mail_user: file: /srv/docker/secrets/mail/user.txt mail_from: file: /srv/docker/secrets/authentik/mail_from.txt mail_pass: file: /srv/docker/secrets/mail/pass.key mail_server: file: /srv/docker/secrets/mail/host.txt