services:
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG}
    restart: unless-stopped
    command: server
    env_file:
      - .env
    secrets:
      - SECRET_KEY
      - DB_PASS
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    networks:
      - mgmt
      - db
    labels:
      - traefik.enable=true
      - traefik.http.routers.$SUBDOMAIN.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
      - traefik.http.routers.$SUBDOMAIN.tls=true
      - traefik.http.routers.$SUBDOMAIN.entrypoints=web,websecure
      - traefik.http.routers.$SUBDOMAIN.tls.certresolver=cloudflare
      - traefik.http.middlewares.$SUBDOMAIN.headers.SSLRedirect=true
      - traefik.http.middlewares.$SUBDOMAIN.headers.STSSeconds=315360000
      - traefik.http.middlewares.$SUBDOMAIN.headers.browserXSSFilter=true
      - traefik.http.middlewares.$SUBDOMAIN.headers.contentTypeNosniff=true
      - traefik.http.middlewares.$SUBDOMAIN.headers.forceSTSHeader=true
      - traefik.http.middlewares.$SUBDOMAIN.headers.SSLHost=${DOMAIN_NAME}
      - traefik.http.middlewares.$SUBDOMAIN.headers.STSIncludeSubdomains=true
      - traefik.http.middlewares.$SUBDOMAIN.headers.STSPreload=true
      - traefik.http.middlewares.$SUBDOMAIN.headers.frameDeny=true
      - traefik.http.routers.$SUBDOMAIN.middlewares=$SUBDOMAIN@docker
      - traefik.http.routers.$SUBDOMAIN.service=$SUBDOMAIN
      - traefik.http.services.$SUBDOMAIN.loadbalancer.server.port=9000
      - traefik.docker.network=mgmt
      # ForwardAuth middleware definition
      - "traefik.http.middlewares.authentik-forwardauth.forwardauth.address=http://authentik-server-1:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.authentik-forwardauth.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authentik-forwardauth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
      # Outpost router for /outpost.goauthentik.io paths
      - "traefik.http.routers.authentik-outpost.rule=Host(`authentik.jojops.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.routers.authentik-outpost.rule=HostRegexp(`{$SUBDOMAIN:[a-z0-9-]+}.$DOMAIN_NAME`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.routers.authentik-outpost.entrypoints=websecure"
      - "traefik.http.routers.authentik-outpost.tls=true"
      - "traefik.http.routers.authentik-outpost.priority=15"
      - "traefik.http.routers.authentik-outpost.service=authentik"
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG}
    restart: unless-stopped
    command: worker
    env_file:
      - .env
    secrets:
      - SECRET_KEY
      - DB_PASS
    user: root
    networks:
      - db
    volumes:
      # - /var/run/docker.sock:/var/run/docker.sock # Optional, only if using external outposts
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
networks:
  mgmt:
    external: true
  db:
    external: true
secrets:
  SECRET_KEY:
    file: .secrets/SECRET_KEY
  DB_PASS:
    file: .secrets/DB_PASS