--- x-env: &env - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password - AUTHENTIK_POSTGRESQL__USER=authentik - AUTHENTIK_POSTGRESQL__NAME=authentik - AUTHENTIK_POSTGRESQL__HOST=db - AUTHENTIK_REDIS__HOST=redis - AUTHENTIK_ERROR_REPORTING__ENABLED - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key - AUTHENTIK_EMAIL__HOST - AUTHENTIK_EMAIL__PORT - AUTHENTIK_EMAIL__USERNAME - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass - AUTHENTIK_EMAIL__USE_TLS - AUTHENTIK_EMAIL__USE_SSL - AUTHENTIK_EMAIL__TIMEOUT - AUTHENTIK_EMAIL__FROM - AUTHENTIK_LOG_LEVEL - AUTHENTIK_SETTINGS__THEME__BACKGROUND - AUTHENTIK_COLOR_BACKGROUND_LIGHT - AUTHENTIK_FOOTER_LINKS - AUTHENTIK_IMPERSONATION - WELCOME_MESSAGE - DEFAULT_LANGUAGE - EMAIL_SUBJECT - EMAIL_TOKEN_EXPIRY_MINUTES - DOMAIN - LOGOUT_REDIRECT - APPLICATIONS version: '3.8' services: app: image: ghcr.io/goauthentik/server:2024.4.0 command: server depends_on: - db - redis secrets: - db_password - admin_pass - admin_token - secret_key - email_pass volumes: - media:/media - assets:/web/dist/assets - templates:/templates networks: - internal - proxy healthcheck: test: "bash -c 'printf \"GET / HTTP/1.1\n\n\" > /dev/tcp/127.0.0.1/9000; exit $$?;'" interval: 30s timeout: 10s retries: 10 start_period: 5m environment: *env deploy: update_config: failure_action: rollback order: start-first labels: - "traefik.enable=true" - "traefik.docker.network=proxy" - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000" - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN" - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}" - "coop-cloud.${STACK_NAME}.version=6.0.0+2024.4.0" - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" worker: image: ghcr.io/goauthentik/server:2024.4.0 command: worker depends_on: - db - redis secrets: - db_password - admin_pass - admin_token - secret_key - email_pass networks: - internal - proxy volumes: - backups:/backups - media:/media - /dev/null:/blueprints/default/flow-oobe.yaml - templates:/templates configs: - source: flow_recovery target: /blueprints/1_flow_recovery.yaml - source: flow_authentication target: /blueprints/2_flow_authentication.yaml - source: flow_translation target: /blueprints/3_flow_translation.yaml - source: flow_invitation target: /blueprints/4_flow_invitation.yaml - source: system_brand target: /blueprints/5_system_brand.yaml - source: flow_invalidation target: /blueprints/6_flow_invalidation.yaml environment: *env db: image: postgres:15.5 secrets: - db_password configs: - source: db_entrypoint target: /docker-entrypoint.sh mode: 0555 entrypoint: /docker-entrypoint.sh volumes: - database:/var/lib/postgresql/data networks: - internal healthcheck: test: ["CMD", "pg_isready", "-U", "authentik"] interval: 30s timeout: 10s retries: 10 start_period: 1m environment: - POSTGRES_PASSWORD_FILE=/run/secrets/db_password - POSTGRES_USER=authentik - POSTGRES_DB=authentik deploy: labels: backupbot.backup: "true" backupbot.backup.pre-hook: "PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /var/lib/postgresql/data/backup.sql" backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/backup.sql" backupbot.backup.path: "/var/lib/postgresql/data" redis: image: redis:7.2.4-alpine networks: - internal healthcheck: test: ["CMD-SHELL", "redis-cli ping | grep PONG"] interval: 30s timeout: 10s retries: 10 start_period: 1m secrets: db_password: external: true name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION} secret_key: external: true name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION} admin_token: external: true name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION} admin_pass: external: true name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION} email_pass: external: true name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION} networks: proxy: external: true internal: volumes: backups: media: templates: assets: database: configs: flow_authentication: name: ${STACK_NAME}_flow_authentication_${FLOW_AUTHENTICATION_VERSION} file: flow_authentication.yaml.tmpl template_driver: golang flow_invitation: name: ${STACK_NAME}_flow_invitation_${FLOW_INVITATION_VERSION} file: flow_invitation.yaml.tmpl template_driver: golang flow_invalidation: name: ${STACK_NAME}_flow_invalidation_${FLOW_INVALIDATION_VERSION} file: flow_invalidation.yaml.tmpl template_driver: golang flow_recovery: name: ${STACK_NAME}_flow_recovery_${FLOW_RECOVERY_VERSION} file: flow_recovery.yaml.tmpl template_driver: golang flow_translation: name: ${STACK_NAME}_flow_translation_${FLOW_TRANSLATION_VERSION} file: flow_translation.yaml.tmpl template_driver: golang system_brand: name: ${STACK_NAME}_system_brand_${SYSTEM_BRAND_VERSION} file: system_brand.yaml.tmpl template_driver: golang db_entrypoint: name: ${STACK_NAME}_db_entrypoint_${DB_ENTRYPOINT_VERSION} file: entrypoint.postgres.sh.tmpl template_driver: golang