--- x-env: &env - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password - AUTHENTIK_POSTGRESQL__USER=authentik - AUTHENTIK_POSTGRESQL__NAME=authentik - AUTHENTIK_POSTGRESQL__HOST=db - AUTHENTIK_REDIS__HOST=redis - AUTHENTIK_ERROR_REPORTING__ENABLED - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key - AUTHENTIK_EMAIL__HOST - AUTHENTIK_EMAIL__PORT - AUTHENTIK_EMAIL__USERNAME - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass - AUTHENTIK_EMAIL__USE_TLS - AUTHENTIK_EMAIL__USE_SSL - AUTHENTIK_EMAIL__TIMEOUT - AUTHENTIK_EMAIL__FROM - AUTHENTIK_LOG_LEVEL - BACKGROUND_FONT_COLOR=${BACKGROUND_FONT_COLOR:-white} - BACKGROUND_BOX_COLOR=${BACKGROUND_BOX_COLOR:-#eaeaeacf} - AUTHENTIK_FOOTER_LINKS - AUTHENTIK_IMPERSONATION - AUTHENTIK_BOOTSTRAP_EMAIL - WELCOME_MESSAGE - DEFAULT_LANGUAGE - EMAIL_SUBJECT - EMAIL_TOKEN_EXPIRY_MINUTES - DOMAIN - LOGOUT_REDIRECT - APPLICATIONS - THEME_BACKGROUND version: '3.8' services: app: image: ghcr.io/goauthentik/server:2025.2.4 command: server depends_on: - db - redis secrets: - db_password - admin_pass - admin_token - secret_key - email_pass volumes: - media:/media - assets:/web/dist/assets - templates:/templates networks: - internal - proxy healthcheck: test: "ak healthcheck" interval: 30s timeout: 30s retries: 10 start_period: 5m environment: *env deploy: labels: - "traefik.enable=true" - "traefik.docker.network=proxy" - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000" - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN" - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}" - "coop-cloud.${STACK_NAME}.version=7.1.0+2025.2.4" - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" worker: image: ghcr.io/goauthentik/server:2025.2.4 command: worker depends_on: - db - redis secrets: - db_password - admin_pass - admin_token - secret_key - email_pass networks: - internal - proxy volumes: - media:/media - /dev/null:/blueprints/default/flow-oobe.yaml - templates:/templates - certs:/certs configs: - source: flow_recovery target: /blueprints/1_flow_recovery.yaml - source: flow_authentication target: /blueprints/2_flow_authentication.yaml - source: flow_translation target: /blueprints/3_flow_translation.yaml - source: flow_invitation target: /blueprints/4_flow_invitation.yaml - source: system_brand target: /blueprints/5_system_brand.yaml - source: flow_invalidation target: /blueprints/6_flow_invalidation.yaml environment: *env healthcheck: test: "ak healthcheck" interval: 30s timeout: 30s retries: 10 start_period: 5m db: image: postgres:15.12 secrets: - db_password configs: - source: db_entrypoint target: /docker-entrypoint.sh mode: 0555 - source: pg_backup target: /pg_backup.sh mode: 0555 entrypoint: /docker-entrypoint.sh volumes: - database:/var/lib/postgresql/data networks: - internal healthcheck: test: ["CMD", "pg_isready", "-U", "authentik"] interval: 30s timeout: 10s retries: 10 start_period: 1m environment: - POSTGRES_PASSWORD_FILE=/run/secrets/db_password - POSTGRES_USER=authentik - POSTGRES_DB=authentik deploy: labels: backupbot.backup: "${ENABLE_BACKUPS:-true}" backupbot.backup.pre-hook: "/pg_backup.sh backup" backupbot.backup.volumes.database.path: "backup.sql" backupbot.backup.volumes.redis: "false" backupbot.restore.post-hook: '/pg_backup.sh restore' redis: image: redis:7.4.2-alpine command: --save 60 1 --loglevel warning networks: - internal healthcheck: test: ["CMD-SHELL", "redis-cli ping | grep PONG"] interval: 30s timeout: 10s retries: 10 start_period: 1m volumes: - redis:/data secrets: db_password: external: true name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} secret_key: external: true name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION} admin_token: external: true name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION} admin_pass: external: true name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION} email_pass: external: true name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION} networks: proxy: external: true internal: volumes: media: certs: redis: templates: assets: database: configs: flow_authentication: name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION} file: flow_authentication.yaml.tmpl template_driver: golang flow_invitation: name: ${STACK_NAME}_flow_invitation_${FLOW_INVITATION_VERSION} file: flow_invitation.yaml.tmpl template_driver: golang flow_invalidation: name: ${STACK_NAME}_flow_invalidation_${FLOW_INVALIDATION_VERSION} file: flow_invalidation.yaml.tmpl template_driver: golang flow_recovery: name: ${STACK_NAME}_flow_recovery_${FLOW_RECOVERY_VERSION} file: flow_recovery.yaml.tmpl template_driver: golang flow_translation: name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION} file: flow_translation.yaml.tmpl template_driver: golang system_brand: name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION} file: system_brand.yaml.tmpl template_driver: golang db_entrypoint: name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION} file: entrypoint.postgres.sh.tmpl template_driver: golang pg_backup: name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} file: pg_backup.sh