Add Authentik SSO service with fixed service dependencies

Adds new Authentik (v2025.10.0) authentication/SSO stack with:
- Redis cache service
- Authentik server (exposed at auth.frostlabs.me via Traefik)
- Authentik worker for background tasks
- Fixed depends_on references to use correct service name (redis)
- External PostgreSQL backend at 10.0.4.10
- Docker secrets integration for sensitive credentials

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

stacks/apps/authentik/stack.yml

@@ -0,0 +1,91 @@
+services:
+  redis:
+    image: redis:alpine
+    command: --save 60 1 --loglevel warning
+    volumes:
+    - /home/doc/swarm-data/appdata/authentik/redis:/data
+    ports:
+    - 6379:6379
+    networks:
+    - homelab
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+        - node.hostname == p0
+
+  authentik_server:
+    image: ghcr.io/goauthentik/server:2025.10.0
+    command: server
+    environment:
+      AUTHENTIK_SECRET_KEY: "file:///run/secrets/auth-key"
+      AUTHENTIK_REDIS__HOST: "redis"
+      AUTHENTIK_POSTGRESQL__HOST: "10.0.4.10"
+      AUTHENTIK_POSTGRESQL__PORT: "5432"
+      AUTHENTIK_POSTGRESQL__USER: "admin"
+      AUTHENTIK_POSTGRESQL__NAME: "authentik"
+      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/postgres-master"
+      # Optional: Set error reporting (set to false for privacy)
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
+    secrets:
+    - auth-key
+    - postgres-master
+    volumes:
+    - /home/doc/swarm-data/appdata/authentik/media:/media
+    - /home/doc/swarm-data/appdata/authentik/templates:/templates
+    - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+    - homelab
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+        - node.hostname == p0
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.authentik.rule=Host(`auth.frostlabs.me`)"
+        - "traefik.http.routers.authentik.entrypoints=websecure"
+        - "traefik.http.routers.authentik.tls.certresolver=cloudflare"
+        - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+        - "traefik.docker.network=homelab"
+    depends_on:
+    - redis
+
+  authentik_worker:
+    image: ghcr.io/goauthentik/server:2025.10.0
+    command: worker
+    environment:
+      AUTHENTIK_SECRET_KEY: "file:///run/secrets/auth-key"
+      AUTHENTIK_REDIS__HOST: "redis"
+      AUTHENTIK_POSTGRESQL__HOST: "10.0.4.10"
+      AUTHENTIK_POSTGRESQL__PORT: "5432"
+      AUTHENTIK_POSTGRESQL__USER: "admin"
+      AUTHENTIK_POSTGRESQL__NAME: "authentik"
+      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/postgres-master"
+      # Optional: Set error reporting (set to false for privacy)
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
+    secrets:
+    - auth-key
+    - postgres-master
+    volumes:
+    - /home/doc/swarm-data/appdata/authentik/media:/media
+    - /home/doc/swarm-data/appdata/authentik/templates:/templates
+    - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+    - homelab
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+        - node.hostname == p0
+    depends_on:
+    - redis
+
+networks:
+  homelab:
+    external: true
+secrets:
+  postgres-master:
+    external: true
+  auth-key:
+    external: true