cloudy/swarm/authentik.yml

---

volumes:
  # database:
  #   driver: local
  redis:
    driver: local

networks:
  authentik:
    driver: overlay
    attachable: true
  traefik-public:
    external: true

services:
  # postgresql:
  #   image: docker.io/library/postgres:16-alpine
  #   restart: unless-stopped
  #   healthcheck:
  #     test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
  #     start_period: 20s
  #     interval: 30s
  #     retries: 5
  #     timeout: 5s
  #   volumes:
  #     - database:/var/lib/postgresql/data
  #   environment:
  #     POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?database password required}
  #     POSTGRES_USER: ${POSTGRES_USER:-authentik}
  #     POSTGRES_DB: ${PG_DB:-authentik}
  #     AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
  #   # env_file:
  #   #   - .env
  #   networks:
  #     - authentik
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
    networks:
      - authentik
  authentik-server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: tasks.redis
      AUTHENTIK_POSTGRESQL__HOST: ${DATABASE__HOSTNAME:-postgresql}
      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    volumes:
      - /var/data/authentik/media:/media
      - /var/data/authentik/custom-templates:/templates
    # env_file:
    #   - .env
    expose:
      - 9000
      - 9443
    # ports:
    #   - "${COMPOSE_PORT_HTTP:-9000}:9000"
    #   - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    # depends_on:
      # - postgresql
      # - redis
    networks:
      - authentik
      - traefik-public
    deploy:
      labels:
        - traefik.enable=true
        - traefik.swarm.network=traefik-public
        - traefik.constraint-label=traefik-public
        - traefik.http.routers.authentik-rtr.entrypoints=https
        - traefik.http.routers.authentik-rtr.rule=Host(`authentik.${DOMAIN}`)
        - traefik.http.routers.authentik-rtr.tls.certresolver=le
        - traefik.http.routers.authentik-rtr.service=authentik-svc
        - traefik.http.services.authentik-svc.loadbalancer.server.port=9000
  authentik-worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: tasks.redis
      AUTHENTIK_POSTGRESQL__HOST: ${DATABASE__HOSTNAME:-postgresql}
      AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    # user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /var/data/authentik/media:/media
      - /var/data/authentik/certs:/certs
      - /var/data/authentik/custom-templates:/templates
    # env_file:
    #   - .env
    # depends_on:
      # - postgresql
      # - redis
    networks:
      - authentik

  # authentik-proxy:
  #   image: ghcr.io/goauthentik/proxy
  #   # ports:
  #   #   - 9000:9000
  #   #   - 9443:9443
  #   environment:
  #     AUTHENTIK_HOST: https://authentik.${DOMAIN}
  #     AUTHENTIK_INSECURE: "false"
  #     AUTHENTIK_TOKEN: token-generated-by-authentik
  #     # Starting with 2021.9, you can optionally set this too
  #     # when authentik_host for internal communication doesn't match the public URL
  #     # AUTHENTIK_HOST_BROWSER: https://external-domain.tld
  #   labels:
  #     traefik.enable: true
  #     traefik.port: 9000
  #     traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
  #     # `authentik-proxy` refers to the service name in the compose file.
  #     traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
  #     traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
  #     traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
  #   restart: unless-stopped