###############################################################
# ------------------------------
# -- authentik (Identity Provider / SSO)
# -- Updated/Created 2024-July-02
# Authentik configuration: https://docs.goauthentik.io/docs/installation/configuration
# ------------------------------
name: authentik # Project Name

###############################################################
# Networks
###############################################################
networks:
  socket_proxy:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: "br-authentik_sx"
  traefik-net:
    external: true
  authentik-net:
    external: true
    
###############################################################
# Docker Secrets
# Owner (default): root:root
# Recommend Set Owner to match container user Example: UID=1100, GID=1100
# Permissions of files & directory on host to: 0400 (-r--)
###############################################################
secrets:
  ## Authentik
  authentik_postgresql_database:
    file: ${SECRETSDIR}/authentik_postgresql_database
  authentik_postgresql_username:
    file: ${SECRETSDIR}/authentik_postgresql_username
  authentik_postgresql_password:
    file: ${SECRETSDIR}/authentik_postgresql_password
  authentik_secret_key:
    file: ${SECRETSDIR}/authentik_secret_key
  smtp_username:
    file: ${SECRETSDIR}/smtp_username
  smtp_password:
    file: ${SECRETSDIR}/smtp_password
  ## GeoIP
  geoip_account_id:
    file: ${SECRETSDIR}/geoip_account_id
  geoip_license_key:
    file: ${SECRETSDIR}/geoip_license_key

##############################################################################
services:
  # Use the embedded outpost (2021.8.1+) instead of the seperate Forward Auth / Proxy Provider container
  server:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    env_file: .server.env
    environment:
      - AUTHENTIK_REDIS__HOST=authentik_redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik_postgresql
    command: server
    user: ${PUID}:${PGID}
    depends_on:
      postgresql:
        condition: service_healthy
      redis:
        condition: service_healthy
    networks:
      socket_proxy: {}
      authentik-net: {}
      traefik-net:
        aliases: ["authentik_server"]    # keep the same as forwardAuth address (hostname) in traefik middlewares "forwardAuth-authentik.yml"
    secrets:
      - authentik_postgresql_database
      - authentik_postgresql_username
      - authentik_postgresql_password
      - authentik_secret_key
    volumes:
      - "${DATADIR}/appdata/media:/media"
      - "${DATADIR}/appdata/custom-templates:/templates"
      - "${DATADIR}/appdata/geoip/data:/geoip"
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      ## HTTP Routers
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
      ## Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth)  
      - "traefik.http.routers.${APPLICATION_NAME}-output-rtr.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${DOMAINNAME}`) && PathPrefix(`/outpost.goauthentik.io/`)"
      ## HTTP Services
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
      - "traefik.http.services.${APPLICATION_NAME}-svc.loadBalancer.server.port=${WEBUI_PORT}"

  worker:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    env_file: .worker.env
    environment:
      - DOCKER_HOST=tcp://authentik_socket-proxy:2375 # Use this if you have Socket Proxy enabled.
      - AUTHENTIK_REDIS__HOST=authentik_redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik_postgresql
    user: ${PUID}:${PGID}
    command: worker
    depends_on:
      postgresql:
        condition: service_healthy
      redis:
        condition: service_healthy
    networks:
      - authentik-net
      - socket_proxy
    secrets:
      - authentik_postgresql_database
      - authentik_postgresql_username
      - authentik_postgresql_password
      - authentik_secret_key
      - smtp_username
      - smtp_password
    volumes:
      - "${DATADIR}/appdata/media:/media"
      - "${DATADIR}/appdata/custom-templates:/templates"
      - "${DATADIR}/appdata/geoip/data:/geoip"
      # - /var/run/docker.sock:/var/run/docker.sock # Uncomment if NOT using socket-proxy
      #- "${DATADIR}/appdata/traefik/cert_export:/certs:ro" # If NOT using reverse proxy, manually map in certificates
      
  postgresql:
    image: postgres:16-alpine
    shm_size: 128mb # https://hub.docker.com/_/postgres
    restart: unless-stopped
    env_file: .postgresql.env
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    networks:
      authentik-net:
        aliases: ["authentik_postgresql"]
    volumes:
      - "${DATADIR}/pgdata:/var/lib/postgresql/data"
    secrets:
      - authentik_postgresql_database
      - authentik_postgresql_username
      # Generate the password with openssl rand 36 | base64 -w 0
      - authentik_postgresql_password

  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    networks:
      authentik-net:
        aliases: ["authentik_redis"]
    volumes:
      - "${DATADIR}/appdata/redis/data:/data"

#  geoipupdate:
#    image: ghcr.io/maxmind/geoipupdate:latest
#    container_name: geoipupdate
#    restart: unless-stopped
#    user: ${PUID}:${PGID}
#    volumes:
#      - "${DATADIR}/appdata/geoip/data:/usr/share/GeoIP"
#    networks:
#      - authentik-net
#    secrets:
#      - geoip_account_id
#      - geoip_license_key
#    environment:
#      - GEOIPUPDATE_EDITION_IDS
#      - GEOIPUPDATE_FREQUENCY
#      - GEOIPUPDATE_ACCOUNT_ID_FILE
#      - GEOIPUPDATE_LICENSE_KEY_FILE
#      - TZ

  socket-proxy:
    image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2
    restart: unless-stopped
    env_file: .socket-proxy.env
    security_opt:
      - no-new-privileges=true
    networks:
      socket_proxy:
        aliases: ["authentik_socket-proxy"]
    privileged: true  # true for VM.  false for unprivileged LXC container.
#    ports:
#      - "127.0.0.1:2375:2375"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  whoami:
    image: traefik/whoami:latest
#    container_name: whoami
    restart: unless-stopped
    security_opt:
      - no-new-privileges=true
    networks:
      - traefik-net
    environment:
      - TZ
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      ## HTTP Routers
      - "traefik.http.routers.whoami-rtr.rule=Host(`whoami.${DOMAINNAME}`)"

  whoami-individual:
    image: traefik/whoami:latest
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    depends_on:
      - server
      - worker
    networks:
      - traefik-net
    environment:
      - TZ
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      ## HTTP Routers
      - "traefik.http.routers.whoami-individual-rtr.rule=Host(`whoami-individual.${DOMAINNAME}`)"
      ## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
      - "traefik.http.routers.whoami-individual-rtr.middlewares=forwardAuth-authentik@file"

  whoami-catchall:
    image: traefik/whoami:latest
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    depends_on:
      - server
      - worker
    networks:
      - traefik-net
    environment:
      - TZ
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      ## HTTP Routers
      - "traefik.http.routers.whoami-catchall-rtr.rule=Host(`whoami-catchall.${DOMAINNAME}`)"
      ## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
      - "traefik.http.routers.whoami-catchall-rtr.middlewares=forwardAuth-authentik@file"