---

x-env: &env
    - AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/db_password
    - AUTHENTIK_POSTGRESQL__USER
    - AUTHENTIK_POSTGRESQL__NAME
    - AUTHENTIK_POSTGRESQL__HOST
    - AUTHENTIK_REDIS__HOST
    - AUTHENTIK_ERROR_REPORTING__ENABLED
    - AUTHENTIK_SECRET_KEY=file:///run/secrets/secret_key
    - AUTHENTIK_EMAIL__HOST
    - AUTHENTIK_EMAIL__PORT
    - AUTHENTIK_EMAIL__USERNAME
    - AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/email_pass
    - AUTHENTIK_EMAIL__USE_TLS
    - AUTHENTIK_EMAIL__USE_SSL
    - AUTHENTIK_EMAIL__TIMEOUT
    - AUTHENTIK_EMAIL__FROM
    - AUTHENTIK_LOG_LEVEL
    - AUTHENTIK_SETTINGS__THEME__BACKGROUND
    - AUTHENTIK_COLOR_BACKGROUND_LIGHT
    - AUTHENTIK_FOOTER_LINKS
    - AUTHENTIK_IMPERSONATION
    - WELCOME_MESSAGE
    - DEFAULT_LANGUAGE
    - EMAIL_SUBJECT
    - EMAIL_TOKEN_EXPIRY_MINUTES
    - DOMAIN
    - LOGOUT_REDIRECT

version: '3.8'
services:
  app:
    image: ghcr.io/goauthentik/server:2023.2.3
    command: server
    secrets:
      - db_password
      - admin_pass
      - admin_token
      - secret_key
      - email_pass
    volumes:
      - media:/media
      - custom-templates:/templates
    configs:
      - source: custom_css
        target: /web/dist/custom.css
    networks:
      - internal
      - proxy
    healthcheck:
      test: ["CMD", "curl", "-f", "localhost:9000/-/health/live/"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    environment: *env
    deploy:
      update_config:
        failure_action: rollback
        order: start-first
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=proxy"
        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
        - "coop-cloud.${STACK_NAME}.version=2.0.0+2023.2.3"

  worker:
    image: ghcr.io/goauthentik/server:2023.2.3
    command: worker
    secrets:
      - db_password
      - admin_pass
      - admin_token
      - secret_key
      - email_pass
    networks:
      - internal
      - proxy
    user: root
    volumes:
      - backups:/backups
      - media:/media
      - /var/run/docker.sock:/var/run/docker.sock
      - custom-templates:/templates
      - /dev/null:/blueprints/default/10-flow-default-authentication-flow.yaml
      - /dev/null:/blueprints/default/10-flow-default-invalidation-flow.yaml
    configs:
      - source: custom_flows
        target: /blueprints/custom_flows.yaml
    environment: *env

  db:
    image: postgres:12.14-alpine
    secrets:
      - db_password
    volumes:
      - database:/var/lib/postgresql/data
    networks:
      - internal
    healthcheck:
      test: ["CMD", "pg_isready"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m
    environment:
      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
      - POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER}
      - POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME}
    deploy:
      labels:
          backupbot.backup: "true"
          backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=$$(cat /run/secrets/db_password) pg_dump -U $${POSTGRES_USER} $${POSTGRES_DB} > /tmp/backup/backup.sql"
          backupbot.backup.post-hook: "rm -rf /tmp/backup"
          backupbot.backup.path: "/tmp/backup/"

  redis:
    image:  redis:7.0.9-alpine
    networks:
      - internal
    healthcheck:
      test: ["CMD", "redis-cli","ping"]
      interval: 30s
      timeout: 10s
      retries: 10
      start_period: 1m

secrets:
  db_password:
    external: true
    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
  secret_key:
    external: true
    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
  admin_token:
    external: true
    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
  admin_pass:
    external: true
    name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
  email_pass:
    external: true
    name: ${STACK_NAME}_email_pass_${SECRET_EMAIL_PASS_VERSION}

networks:
  proxy:
    external: true
  internal:

volumes:
  backups:
  media:
  custom-templates:
  database:

configs:
  custom_css:
    name: ${STACK_NAME}_custom_css_${CUSTOM_CSS_VERSION}
    file: custom.css.tmpl
    template_driver: golang
  custom_flows:
    name: ${STACK_NAME}_custom_flows_${CUSTOM_FLOWS_VERSION}
    file: custom_flows.yaml.tmpl
    template_driver: golang