From 8eb3106777615d5016c0228121e2ea88c0b5b4a4 Mon Sep 17 00:00:00 2001
From: John <john.allisonwin@outlook.com>
Date: Wed, 29 Oct 2025 16:51:47 +0000
Subject: [PATCH] Add Authentik SSO service with fixed service dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds new Authentik (v2025.10.0) authentication/SSO stack with:
- Redis cache service
- Authentik server (exposed at auth.frostlabs.me via Traefik)
- Authentik worker for background tasks
- Fixed depends_on references to use correct service name (redis)
- External PostgreSQL backend at 10.0.4.10
- Docker secrets integration for sensitive credentials

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 stacks/apps/authentik/stack.yml | 91 +++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100644 stacks/apps/authentik/stack.yml

diff --git a/stacks/apps/authentik/stack.yml b/stacks/apps/authentik/stack.yml
new file mode 100644
index 0000000..f56aae4
--- /dev/null
+++ b/stacks/apps/authentik/stack.yml
@@ -0,0 +1,91 @@
+services:
+  redis:
+    image: redis:alpine
+    command: --save 60 1 --loglevel warning
+    volumes:
+    - /home/doc/swarm-data/appdata/authentik/redis:/data
+    ports:
+    - 6379:6379
+    networks:
+    - homelab
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+        - node.hostname == p0
+
+  authentik_server:
+    image: ghcr.io/goauthentik/server:2025.10.0
+    command: server
+    environment:
+      AUTHENTIK_SECRET_KEY: "file:///run/secrets/auth-key"
+      AUTHENTIK_REDIS__HOST: "redis"
+      AUTHENTIK_POSTGRESQL__HOST: "10.0.4.10"
+      AUTHENTIK_POSTGRESQL__PORT: "5432"
+      AUTHENTIK_POSTGRESQL__USER: "admin"
+      AUTHENTIK_POSTGRESQL__NAME: "authentik"
+      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/postgres-master"
+      # Optional: Set error reporting (set to false for privacy)
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
+    secrets:
+    - auth-key
+    - postgres-master
+    volumes:
+    - /home/doc/swarm-data/appdata/authentik/media:/media
+    - /home/doc/swarm-data/appdata/authentik/templates:/templates
+    - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+    - homelab
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+        - node.hostname == p0
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.authentik.rule=Host(`auth.frostlabs.me`)"
+        - "traefik.http.routers.authentik.entrypoints=websecure"
+        - "traefik.http.routers.authentik.tls.certresolver=cloudflare"
+        - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+        - "traefik.docker.network=homelab"
+    depends_on:
+    - redis
+
+  authentik_worker:
+    image: ghcr.io/goauthentik/server:2025.10.0
+    command: worker
+    environment:
+      AUTHENTIK_SECRET_KEY: "file:///run/secrets/auth-key"
+      AUTHENTIK_REDIS__HOST: "redis"
+      AUTHENTIK_POSTGRESQL__HOST: "10.0.4.10"
+      AUTHENTIK_POSTGRESQL__PORT: "5432"
+      AUTHENTIK_POSTGRESQL__USER: "admin"
+      AUTHENTIK_POSTGRESQL__NAME: "authentik"
+      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/postgres-master"
+      # Optional: Set error reporting (set to false for privacy)
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
+    secrets:
+    - auth-key
+    - postgres-master
+    volumes:
+    - /home/doc/swarm-data/appdata/authentik/media:/media
+    - /home/doc/swarm-data/appdata/authentik/templates:/templates
+    - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+    - homelab
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+        - node.hostname == p0
+    depends_on:
+    - redis
+
+networks:
+  homelab:
+    external: true
+secrets:
+  postgres-master:
+    external: true
+  auth-key:
+    external: true