services:
  redis:
    image: redis:alpine
    command: --save 60 1 --loglevel warning
    volumes:
    - /home/doc/projects/swarm-data/appdata/authentik/redis:/data
    ports:
    - 6379:6379
    networks:
    - homelab
    healthcheck:
      test: [ "CMD", "redis-cli", "ping" ]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    deploy:
      replicas: 1
      resources:
        limits:
          memory: 512M
        reservations:
          memory: 128M

  authentik_server:
    image: ghcr.io/goauthentik/server:2025.10.0
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: "file:///run/secrets/auth-key"
      AUTHENTIK_REDIS__HOST: "redis"
      AUTHENTIK_POSTGRESQL__HOST: "10.0.4.10"
      AUTHENTIK_POSTGRESQL__PORT: "5432"
      AUTHENTIK_POSTGRESQL__USER: "admin"
      AUTHENTIK_POSTGRESQL__NAME: "authentik"
      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/postgres-master"
      # Optional: Set error reporting (set to false for privacy)
      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
    secrets:
    - auth-key
    - postgres-master
    volumes:
    - /home/doc/projects/swarm-data/appdata/authentik/media:/media
    - /home/doc/projects/swarm-data/appdata/authentik/templates:/templates
    - /var/run/docker.sock:/var/run/docker.sock
    networks:
    - homelab
    healthcheck:
      test: [ "CMD-SHELL", "ak healthcheck" ]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 90s
    deploy:
      replicas: 1
      resources:
        limits:
          memory: 1G
          cpus: '1.0'
        reservations:
          memory: 512M
      labels:
      - "traefik.enable=true"
      - "traefik.swarm.network=homelab"
      # Public-facing domain with Let's Encrypt certificate
      - "traefik.http.routers.authentik.rule=Host(`auth.frostlabs.me`)"
      - "traefik.http.routers.authentik.entrypoints=websecure"
      - "traefik.http.routers.authentik.tls=true"
      - "traefik.http.routers.authentik.tls.certresolver=cloudflare"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"

    depends_on:
    - redis

  authentik_worker:
    image: ghcr.io/goauthentik/server:2025.10.0
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: "file:///run/secrets/auth-key"
      AUTHENTIK_REDIS__HOST: "redis"
      AUTHENTIK_POSTGRESQL__HOST: "10.0.4.10"
      AUTHENTIK_POSTGRESQL__PORT: "5432"
      AUTHENTIK_POSTGRESQL__USER: "admin"
      AUTHENTIK_POSTGRESQL__NAME: "authentik"
      AUTHENTIK_POSTGRESQL__PASSWORD: "file:///run/secrets/postgres-master"
      # Optional: Set error reporting (set to false for privacy)
      AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
    secrets:
    - auth-key
    - postgres-master
    volumes:
    - /home/doc/projects/swarm-data/appdata/authentik/media:/media
    - /home/doc/projects/swarm-data/appdata/authentik/templates:/templates
    - /var/run/docker.sock:/var/run/docker.sock
    networks:
    - homelab
    deploy:
      replicas: 1
      resources:
        limits:
          memory: 1G
          cpus: '1.0'
        reservations:
          memory: 512M
    depends_on:
    - redis

networks:
  homelab:
    external: true
secrets:
  postgres-master:
    external: true
  auth-key:
    external: true