version: '3.8'

# Deploy with:
#   docker stack deploy -c authentik.yml authentik
#
# Runs on: docker-swarm-1
# Authentik server + worker, using the shared postgres stack.
# No Redis required as of 2026.2.x.
# Initial setup wizard at http://<host>:9000/if/flow/initial-setup/

services:
  server:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_TAG:-2026.2.1}
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_POSTGRESQL__HOST: postgres_postgres
      AUTHENTIK_POSTGRESQL__PORT: 5432
      AUTHENTIK_POSTGRESQL__NAME: authentik_db
      AUTHENTIK_POSTGRESQL__USER: authentik_user
      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
    ports:
      - "9000:9000"
      - "9443:9443"
    volumes:
      - authentik_media:/media
      - authentik_templates:/templates
    networks:
      - overlay-net
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.hostname == pve-tools
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3

  worker:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_TAG:-2026.2.1}
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_POSTGRESQL__HOST: postgres_postgres
      AUTHENTIK_POSTGRESQL__PORT: 5432
      AUTHENTIK_POSTGRESQL__NAME: authentik_db
      AUTHENTIK_POSTGRESQL__USER: authentik_user
      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
    volumes:
      - authentik_media:/media
      - authentik_templates:/templates
      - authentik_certs:/certs
    networks:
      - overlay-net
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.hostname == pve-tools
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3

volumes:
  authentik_media:
  authentik_templates:
  authentik_certs:

networks:
  overlay-net:
    external: true
    name: ${OVERLAY_NETWORK:-homelab-net}