version: '3.8'

services:
  traefik:
    image: traefik:v2.8
    container_name: traefik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "80:80"
    depends_on:
      - server
      - whoami
    command:
      - "--api"
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--entrypoints.web.address=:80"

  server:
    image: ghcr.io/goauthentik/server:2022.7.3
    command: server
    environment:
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=authentik
      - AUTHENTIK_ERROR_REPORTING__ENABLED=true
      - AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o
    ports:
      - "9000:9000"
    depends_on:
      - worker
      - postgresql
      - redis
    labels:
      - "traefik.enable=true"
      - "traefik.port=9000"
      - "traefik.http.routers.server.rule=Host(`auth.example.com`)"

  worker:
    image: ghcr.io/goauthentik/server:2022.7.3
    command: worker
    environment:
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=authentik
      - AUTHENTIK_ERROR_REPORTING__ENABLED=true
      - AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  authentik-proxy:
    image: ghcr.io/goauthentik/proxy
    ports:
      - "9091:9000"
    environment:
      - AUTHENTIK_HOST=http://server:9000
      - AUTHENTIK_INSECURE=true
      - AUTHENTIK_TOKEN=setme #generated by authentik when outpost is created
      - AUTHENTIK_HOST_BROWSER=http://auth.example.com
      - AUTHENTIK_DEBUG=true
    depends_on:
      - server
    labels:
      - "traefik.enable=true"
      - "traefik.port=9000"
      - "traefik.http.routers.authentik-proxy.rule=Host(`app.example.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"

  whoami:
    image: containous/whoami
    depends_on:
      - authentik-proxy
    labels:
      - "traefik.enable=true"
      - "traefik.port=80"
      - "traefik.http.routers.whoami.rule=Host(`app.example.com`)"
      - "traefik.http.routers.whoami.middlewares=authentik@docker"

  postgresql:
    image: postgres:12-alpine
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=authentik
      - POSTGRES_USER=authentik
      - POSTGRES_DB=authentik

  redis:
    image: redis:alpine
    healthcheck:
      test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s

volumes:
  database: