version: "3.7"
services:
authentik:
image: ghcr.io/goauthentik/server:2023.10.6
restart: unless-stopped
command: server
container_name: authentik
environment:
AUTHENTIK_REDIS__HOST: authentik-redis
AUTHENTIK_POSTGRESQL__HOST: authentik-db
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
volumes:
- ${APP_DATA_DIR}/data/authentik-media:/media
- ${APP_DATA_DIR}/data/authentik-custom-templates:/templates
ports:
- "${APP_PORT}:9443"
depends_on:
- authentik-db
- authentik-redis
networks:
- tipi_main_network
labels:
# Main
traefik.enable: true
traefik.http.middlewares.authentik-web-redirect.redirectscheme.scheme: https
traefik.http.services.authentik.loadbalancer.server.port: 9000
# Web
traefik.http.routers.authentik-insecure.rule: Host(`${APP_DOMAIN}`)
traefik.http.routers.authentik-insecure.entrypoints: web
traefik.http.routers.authentik-insecure.service: authentik
traefik.http.routers.authentik-insecure.middlewares: authentik-web-redirect
# Websecure
traefik.http.routers.authentik.rule: Host(`${APP_DOMAIN}`)
traefik.http.routers.authentik.entrypoints: websecure
traefik.http.routers.authentik.service: authentik
traefik.http.routers.authentik.tls.certresolver: myresolver
# Local domain
traefik.http.routers.authentik-local-insecure.rule: Host(`authentik.${LOCAL_DOMAIN}`)
traefik.http.routers.authentik-local-insecure.entrypoints: web
traefik.http.routers.authentik-local-insecure.service: authentik
traefik.http.routers.authentik-local-insecure.middlewares: authentik-web-redirect
# Local domain secure
traefik.http.routers.authentik-local.rule: Host(`authentik.${LOCAL_DOMAIN}`)
traefik.http.routers.authentik-local.entrypoints: websecure
traefik.http.routers.authentik-local.service: authentik
traefik.http.routers.authentik-local.tls: true
authentik-worker:
image: ghcr.io/goauthentik/server:2023.10.6
restart: unless-stopped
command: worker
container_name: authentik-worker
environment:
AUTHENTIK_REDIS__HOST: authentik-redis
AUTHENTIK_POSTGRESQL__HOST: authentik-db
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${APP_DATA_DIR}/data/authentik-media:/media
- ${APP_DATA_DIR}/data/authentik-certs:/certs
- ${APP_DATA_DIR}/data/authentik-custom-templates:/templates
depends_on:
- authentik-db
- authentik-redis
networks:
- tipi_main_network
authentik-db:
container_name: authentik-db
image: postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- ${APP_DATA_DIR}/data/postgres:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${AUTHENTIK_DB_PASSWORD}
POSTGRES_USER: authentik
POSTGRES_DB: authentik
networks:
- tipi_main_network
authentik-redis:
image: redis:alpine
command: --save 60 1 --loglevel warning
container_name: authentik-redis
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- ${APP_DATA_DIR}/data/redis:/data
networks:
- tipi_main_network