services:
  postgres:
    image: postgres:17
    restart: always
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - ${DATA_DIR:-./data}/postgres:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-authentik}
      POSTGRES_USER: ${POSTGRES_USER:-authentik}
      POSTGRES_DB: ${POSTGRES_DB:-authentik}
  redis:
    image: redis:8
    command: --save 60 1 --loglevel warning
    restart: always
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - ${DATA_DIR:-./data}/redis:/data
  server:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION:-2025.4.1}
    restart: always
    user: root
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgres
      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD:-authentik}
      AUTHENTIK_ERROR_REPORTING__ENABLED: true
      AUTHENTIK_EMAIL__HOST: ${SMTP_HOST:?smtp host required}
      AUTHENTIK_EMAIL__PORT: ${SMTP_PORT:-587}
      AUTHENTIK_EMAIL__USERNAME: ${SMTP_USERNAME:?smtp username required}
      AUTHENTIK_EMAIL__PASSWORD: ${SMTP_PASSWORD:?smtp password required}
      AUTHENTIK_EMAIL__USE_TLS: ${SMTP_USE_TLS:-true}
      AUTHENTIK_EMAIL__FROM: ${SMTP_FROM:?smtp from required}
    volumes:
      - ${DATA_DIR:-./data}/authentik/media:/media
      - ${DATA_DIR:-./data}/authentik/templates:/templates
    ports:
      - "${HTTP_PORT:-9000}:9000"
      - "${HTTPS_PORT:-9443}:9443"
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
  worker:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION:-2025.4.1}
    restart: always
    user: root
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgres
      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD:-authentik}
      AUTHENTIK_ERROR_REPORTING__ENABLED: true
      AUTHENTIK_EMAIL__HOST: ${SMTP_HOST:?smtp host required}
      AUTHENTIK_EMAIL__PORT: ${SMTP_PORT:-587}
      AUTHENTIK_EMAIL__USERNAME: ${SMTP_USERNAME:?smtp username required}
      AUTHENTIK_EMAIL__PASSWORD: ${SMTP_PASSWORD:?smtp password required}
      AUTHENTIK_EMAIL__USE_TLS: ${SMTP_USE_TLS:-true}
      AUTHENTIK_EMAIL__FROM: ${SMTP_FROM:?smtp from required}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${DATA_DIR:-./data}/authentik/media:/media
      - ${DATA_DIR:-./data}/authentik/certs:/certs
      - ${DATA_DIR:-./data}/authentik/templates:/templates
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy