---
services:
  authentik-server:
    image: ghcr.io/goauthentik/server:${AK_VERSION}
    restart: unless-stopped
    command: server
    depends_on:
      - postgresql
      - redis
    environment:
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__NAME=${PG_NAME}
      - AUTHENTIK_POSTGRESQL__USER=${PG_USER}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${PG_PASS}
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_SECRET_KEY=${AK_KEY}
    labels:
      - traefik.enable=${TRAEFIK_ENABLED}
      - traefik.docker.network=${TRAEFIK_NETWORK}
      ### Section HTTP
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http
      # redirect to HTTPS only
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https
      - traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE}
      ### Section HTTPS
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.entrypoints=https
      # configure the exposed service
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE}
      # of course, enable TLS and it's certificate provider
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED}
      - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER}
      # specify a service so a custom port can be used
      - traefik.http.services.${TRAEFIK_SERVICE}.loadbalancer.server.port=${TRAEFIK_SERVICE_PORT}
    networks:
      - internal
      - traefik
    volumes:
      - ${AK_DATA}/media:/media
      - ${AK_DATA}/templates:/templates

  authentik-worker:
    image: ghcr.io/goauthentik/server:${AK_VERSION}
    restart: unless-stopped
    command: worker
    depends_on:
      - postgresql
      - redis
    environment:
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__NAME=${PG_NAME}
      - AUTHENTIK_POSTGRESQL__USER=${PG_USER}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${PG_PASS}
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_SECRET_KEY=${AK_KEY}
    networks:
      - internal
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${AK_DATA}/media:/media
      - ${AK_DATA}/certs:/certs
      - ${AK_DATA}/templates:/templates

  postgresql:
    image: docker.io/library/postgres:${PG_VERSION}
    restart: unless-stopped
    environment:
      - POSTGRES_DB=${PG_NAME}
      - POSTGRES_USER=${PG_USER}
      - POSTGRES_PASSWORD=${PG_PASS}
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    networks:
      - internal
    volumes:
      - ${PG_DATA}:/var/lib/postgresql/data

  redis:
    image: docker.io/library/redis:${REDIS_VERSION}
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    networks:
      - internal
    volumes:
      - ${REDIS_DATA}:/data

networks:
  internal:
  traefik:
    external: true
    name: ${TRAEFIK_NETWORK}