From f3d000aefa92b90d0d07cb4cbcba4da1c469fdee Mon Sep 17 00:00:00 2001
From: Jonathan Agmon <jojo@agmon.co.il>
Date: Sat, 25 Oct 2025 10:06:07 +0000
Subject: [PATCH] Fixes for Authentik

---
 mgmt/authentik/compose.yml | 22 ++++++----------------
 1 file changed, 6 insertions(+), 16 deletions(-)

diff --git a/mgmt/authentik/compose.yml b/mgmt/authentik/compose.yml
index b042e59..60f4fe1 100644
--- a/mgmt/authentik/compose.yml
+++ b/mgmt/authentik/compose.yml
@@ -12,11 +12,8 @@ services:
       - ./media:/media
       - ./custom-templates:/templates
     networks:
-      - webapp
+      - mgmt
       - db
-    # ports:
-    #   - "${COMPOSE_PORT_HTTP:-9000}:9000"
-    #   - "${COMPOSE_PORT_HTTPS:-9443}:9443"
     labels:
       - traefik.enable=true
       - traefik.http.routers.$SUBDOMAIN.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
@@ -32,28 +29,21 @@ services:
       - traefik.http.middlewares.$SUBDOMAIN.headers.STSIncludeSubdomains=true
       - traefik.http.middlewares.$SUBDOMAIN.headers.STSPreload=true
       - traefik.http.middlewares.$SUBDOMAIN.headers.frameDeny=true
-      # - traefik.http.routers.$SUBDOMAIN.middlewares=$SUBDOMAIN@docker
+      - traefik.http.routers.$SUBDOMAIN.middlewares=$SUBDOMAIN@docker
       - traefik.http.routers.$SUBDOMAIN.service=$SUBDOMAIN
       - traefik.http.services.$SUBDOMAIN.loadbalancer.server.port=9000
-      - traefik.docker.network=webapp
-      - "traefik.http.routers.authentik-output-rtr.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${DOMAIN_NAME}`) && PathPrefix(`/outpost.goauthentik.io/`)"
-
+      - traefik.docker.network=mgmt
       # ForwardAuth middleware definition
       - "traefik.http.middlewares.authentik-forwardauth.forwardauth.address=http://authentik-server-1:9000/outpost.goauthentik.io/auth/traefik"
       - "traefik.http.middlewares.authentik-forwardauth.forwardauth.trustForwardHeader=true"
       - "traefik.http.middlewares.authentik-forwardauth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
       # Outpost router for /outpost.goauthentik.io paths
-      - "traefik.http.routers.$SUBDOMAIN-outpost.rule=Host(`authentik.jojops.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
-      # - "traefik.http.routers.authentik-outpost.entrypoints=websecure"
-      # - "traefik.http.routers.authentik-outpost.tls=true"
-      - traefik.http.routers.$SUBDOMAIN.priority=15
-      # - "traefik.http.routers.authentik-outpost.service=authentik-svc"
+      - "traefik.http.routers.authentik-outpost.rule=Host(`authentik.jojops.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
       - "traefik.http.routers.authentik-outpost.rule=HostRegexp(`{$SUBDOMAIN:[a-z0-9-]+}.$DOMAIN_NAME`) && PathPrefix(`/outpost.goauthentik.io/`)"
       - "traefik.http.routers.authentik-outpost.entrypoints=websecure"
       - "traefik.http.routers.authentik-outpost.tls=true"
       - "traefik.http.routers.authentik-outpost.priority=15"
       - "traefik.http.routers.authentik-outpost.service=authentik"
-
   worker:
     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG}
     restart: unless-stopped
@@ -67,12 +57,12 @@ services:
     networks:
       - db
     volumes:
-      # - /var/run/docker.sock:/var/run/docker.sock
+      # - /var/run/docker.sock:/var/run/docker.sock # Optional, only if using external outposts
       - ./media:/media
       - ./certs:/certs
       - ./custom-templates:/templates
 networks:
-  webapp:
+  mgmt:
     external: true
   db:
     external: true