Authentik deployed to production

authentik/stack.yml

@@ -0,0 +1,120 @@
+services:
+  redis:
+    image: redis:alpine
+    command: --save 60 1 --loglevel warning
+    volumes:
+    - /home/doc/projects/swarm-data/authentik/redis:/data
+    networks:
+    - frostlabs
+    healthcheck:
+      test: [ "CMD", "redis-cli", "ping" ]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.labels.task == compute
+      resources:
+        limits:
+          memory: 512M
+        reservations:
+          memory: 128M
+
+  authentik_server:
+    image: ghcr.io/goauthentik/server:2025.10.0
+    command: server
+    environment:
+      AUTHENTIK_SECRET_KEY: "file:///run/secrets/auth-key"
+      AUTHENTIK_REDIS__HOST: "redis"
+      AUTHENTIK_POSTGRESQL__HOST: "10.0.4.10"
+      AUTHENTIK_POSTGRESQL__PORT: "5432"
+      AUTHENTIK_POSTGRESQL__USER: "admin"
+      AUTHENTIK_POSTGRESQL__NAME: "authentik"
+      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/postgres-master"
+      # Optional: Set error reporting (set to false for privacy)
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
+    secrets:
+    - auth-key
+    - postgres-master
+    volumes:
+    - /home/doc/projects/swarm-data/authentik/media:/media
+    - /home/doc/projects/swarm-data/authentik/templates:/templates
+    - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+    - frostlabs
+    healthcheck:
+      test: [ "CMD-SHELL", "ak healthcheck" ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 90s
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.labels.task == control
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+        reservations:
+          memory: 512M
+      labels:
+      - "traefik.enable=true"
+      - "traefik.swarm.network=frostlabs"
+      # Public-facing domain with Let's Encrypt certificate
+      - "traefik.http.routers.authentik.rule=Host(`auth.frostlabs.me`)"
+      - "traefik.http.routers.authentik.entrypoints=websecure"
+      - "traefik.http.routers.authentik.tls=true"
+      - "traefik.http.routers.authentik.tls.certresolver=cloudflare"
+      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+
+    depends_on:
+    - redis
+
+  authentik_worker:
+    image: ghcr.io/goauthentik/server:2025.10.0
+    command: worker
+    environment:
+      AUTHENTIK_SECRET_KEY: "file:///run/secrets/auth-key"
+      AUTHENTIK_REDIS__HOST: "redis"
+      AUTHENTIK_POSTGRESQL__HOST: "10.0.4.10"
+      AUTHENTIK_POSTGRESQL__PORT: "5432"
+      AUTHENTIK_POSTGRESQL__USER: "admin"
+      AUTHENTIK_POSTGRESQL__NAME: "authentik"
+      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/postgres-master"
+      # Optional: Set error reporting (set to false for privacy)
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
+    secrets:
+    - auth-key
+    - postgres-master
+    volumes:
+    - /home/doc/projects/swarm-data/authentik/media:/media
+    - /home/doc/projects/swarm-data/authentik/templates:/templates
+    - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+    - frostlabs
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.labels.task == compute
+      resources:
+        limits:
+          memory: 1G
+          cpus: '1.0'
+        reservations:
+          memory: 512M
+    depends_on:
+    - redis
+networks:
+  frostlabs:
+    external: true
+secrets:
+  postgres-master:
+    external: true
+  auth-key:
+    external: true