docker-infra/1. docker-stacks/authentik/docker-compose.yml

services:
  postgresql:
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
    networks:
      - internal

  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    volumes:
      - redis:/data
    networks:
      - internal

  server:
    image: ghcr.io/goauthentik/server:2025.10
    container_name: authentik-server-1
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    networks:
      - internal
      - proxy
    labels:
      - "traefik.enable=true"
      # Jouw nieuwe URL
      - "traefik.http.routers.authentik.rule=Host(`authentik.stackbabber.nl`)"
      - "traefik.http.routers.authentik.entrypoints=websecure"
      - "traefik.http.routers.authentik.tls=true"
      - "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
      # OPTIONEEL: Redirect voor de Authentik UI (niet strikt nodig voor forwardAuth)
      - "traefik.http.routers.authentik-http.rule=Host(`authentik.stackbabber.nl`)"
      - "traefik.http.routers.authentik-http.entrypoints=web"
      - "traefik.http.routers.authentik-http.middlewares=redirect-to-https@file"
  worker:
    image: ghcr.io/goauthentik/server:2025.10
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    depends_on:
      - postgresql
      - redis
    env_file:
      - .env
    networks:
      - internal

volumes:
  database:
    driver: local
  redis:
    driver: local

networks:
  proxy:
    external: true
  internal:
    driver: bridge