--- networks: traefik_public: external: true internal: services: postgresql: image: docker.io/library/postgres:16-alpine restart: unless-stopped healthcheck: test: ["CMD-SHELL", "pg_isready -d $POSTGRES_DB -U $POSTGRES_USER"] start_period: 20s interval: 30s retries: 5 timeout: 5s volumes: - /mnt/cephfs/authentik/data/db:/var/lib/postgresql/data environment: POSTGRES_PASSWORD: "{{ pg_pass }}" POSTGRES_USER: "{{ pg_user | default('authentik') }}" POSTGRES_DB: "{{ pg_db | default('authentik') }}" networks: - internal redis: image: docker.io/library/redis:alpine command: --save 60 1 --loglevel warning restart: unless-stopped healthcheck: test: ["CMD-SHELL", "redis-cli ping | grep PONG"] start_period: 20s interval: 30s retries: 5 timeout: 3s volumes: - /mnt/cephfs/authentik/data/cache:/data networks: - internal server: image: "{{ authentik_image | default('ghcr.io/goauthentik/server') }}:{{ authentik_tag | default('2025.6.3') }}" restart: unless-stopped command: server environment: AUTHENTIK_SECRET_KEY: "{{ authentik_secret_key }}" AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: "{{ pg_user | default('authentik') }}" AUTHENTIK_POSTGRESQL__NAME: "{{ pg_db | default('authentik') }}" AUTHENTIK_POSTGRESQL__PASSWORD: "{{ pg_pass }}" AUTHENTIK_ERROR_REPORTING__ENABLED: "false" volumes: - /mnt/cephfs/authentik/data/media:/media - /mnt/cephfs/authentik/data/templates:/templates networks: - traefik_public - internal deploy: labels: traefik.enable: "true" traefik.swarm.network: {{ traefik_net }} traefik.http.routers.authentik.rule: Host(`{{ traefik_route }}`) || HostRegexp(`{subdomain:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?}.genius.ceo`) && PathPrefix(`/outpost.goauthentik.io/`) traefik.http.routers.authentik.entrypoints: https traefik.http.routers.authentik.tls: "true" traefik.http.routers.authentik.tls.certresolver: main traefik.http.services.authentik.loadbalancer.server.port: 9000 # - "traefik.enable=true" # - "traefik.swarm.network={{ traefik_net }}" # - "traefik.http.routers.authentik.rule=Host(`{{ traefik_route }}`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.genius.ceo`) && PathPrefix(`/outpost.goauthentik.io/`)" # - "traefik.http.routers.authentik.entrypoints=https" # - "traefik.http.routers.authentik.tls=true" # - "traefik.http.routers.authentik.tls.certresolver=main" # - "traefik.http.services.authentik.loadbalancer.server.port=9000" worker: image: "{{ authentik_image | default('ghcr.io/goauthentik/server') }}:{{ authentik_tag | default('2025.6.3') }}" restart: unless-stopped command: worker environment: AUTHENTIK_SECRET_KEY: "{{ authentik_secret_key }}" AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: "{{ pg_user | default('authentik') }}" AUTHENTIK_POSTGRESQL__NAME: "{{ pg_db | default('authentik') }}" AUTHENTIK_POSTGRESQL__PASSWORD: "{{ pg_pass }}" # `user: root` and the docker socket volume are optional. # See more for the docker socket integration here: # https://goauthentik.io/docs/outposts/integrations/docker # Removing `user: root` also prevents the worker from fixing the permissions # on the mounted folders, so when removing this make sure the folders have the correct UID/GID # (1000:1000 by default) user: root volumes: - /var/run/docker.sock:/var/run/docker.sock - /mnt/cephfs/authentik/data/media:/media - /mnt/cephfs/authentik/data/certs:/certs - /mnt/cephfs/authentik/data/templates:/templates networks: - internal