Merge branch 'refactor-docker-compose'

cleanup; Readme still in WIP
Merge branch '2025.6' into 'main'
2025-07-26 00:10:37 +02:00 · 2025-07-26 00:08:06 +02:00 · 2025-07-22 15:59:19 +02:00 · 2025-07-22 15:49:57 +02:00 · 2025-07-22 15:41:36 +02:00 · 2025-07-22 15:30:50 +02:00
13 changed files with 301 additions and 639 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,6 @@
 # Project
 .env
 lego.env
 docker-compose.yml
 data/*
 data/nginx/*
 !data
--- a/README.md
+++ b/README.md
@ -1,15 +1,13 @@
-# `sso.base23.de` - Base23 SSO for all services
+# `sso.s1q.dev` - Base23 SSO for all services
 [Authentik](https://goauthentik.io/) based SSO for our sevices.
 ## Table of Contents
- [`sso.base23.de` - Base23 SSO for all services](#ssobase23de---base23-sso-for-all-services)
+- [`sso.s1q.dev` - Base23 SSO for all services](#ssos1qdev---base23-sso-for-all-services)
  - [Table of Contents](#table-of-contents)
  - [Prerequisites](#prerequisites)
    - [Server Setup](#server-setup)
    - [Tailscale](#tailscale)
    - [Base23 Docker registry login](#base23-docker-registry-login)
    - [CrowdSec](#crowdsec)
      - [Setup CrowdSec Repo](#setup-crowdsec-repo)
      - [Install CrowdSec](#install-crowdsec)
@ -25,32 +23,7 @@
 ## Prerequisites
-### Server Setup
+- dokploy
 ```shell
 apt update \
  && apt upgrade -y \
  && for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt remove $pkg; done \
  && apt install ca-certificates curl \
  && install -m 0755 -d /etc/apt/keyrings \
  && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
  && chmod a+r /etc/apt/keyrings/docker.asc \
  && echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  tee /etc/apt/sources.list.d/docker.list > /dev/null \
  && apt update \
  && apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \
  && mkdir -p /var/lib/apps \
  && ln -s /var/lib/apps \
  && apt install -y git vim \
  && TEMP_DIR=$(mktemp -d) \
  && curl -fsSL https://github.com/go-acme/lego/releases/download/v4.20.2/lego_v4.20.2_linux_amd64.tar.gz -o ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz \
  && tar xzvf ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz --directory=${TEMP_DIR} \
  && install -m 755 -o root -g root "${TEMP_DIR}/lego" "/usr/local/bin" \
  && rm -rf ${TEMP_DIR} \
  && unset TEMP_DIR
 ```
 ### Tailscale
@ -61,18 +34,12 @@ printf "Enter preauthkey for Tailscale: " \
  && curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list \
  && apt-get update \
  && apt-get install tailscale \
-  && tailscale up --login-server https://vpn.base23.de --authkey ${TAILSCALE_PREAUTHKEY} --advertise-tags=tag:prod-servers \
+  && tailscale up --login-server https://vpn.s1q.dev --authkey ${TAILSCALE_PREAUTHKEY} \
  && sleep 2 \
  && tailscale status \
  && unset TAILSCALE_PREAUTHKEY
 ```
 ### Base23 Docker registry login
 ```shell
 docker login -u gitlab+deploy-token-5 registry.git.base23.de
 ```
 ### CrowdSec
 #### Setup CrowdSec Repo
@ -116,9 +83,9 @@ systemctl restart crowdsec; systemctl status crowdsec.service
 Whitelist Tailscale IPs:
 ```shell
-cat << EOF > /etc/crowdsec/parsers/s02-enrich/01-base23-tailscale.yaml \
+cat << EOF > /etc/crowdsec/parsers/s02-enrich/01-s1q-dev-tailscale.yaml \
  && systemctl restart crowdsec; journalctl -xef -u crowdsec.service
-name: base23/tailscale ## Must be unqiue
+name: s1q-dev/tailscale ## Must be unqiue
 description: "Whitelist events from Tailscale Subnet"
 whitelist:
  reason: "Tailscale clients"
@ -127,18 +94,18 @@ whitelist:
 EOF
 ```
-Whitelist our current Public IPs:
+Whitelist my current Public IPs:
 ```shell
 mkdir -p /etc/crowdsec/postoverflows/s01-whitelist/ \
-  && cat << EOF > /etc/crowdsec/postoverflows/s01-whitelist/01-base23-public-ips.yaml \
+  && cat << EOF > /etc/crowdsec/postoverflows/s01-whitelist/01-s1q-dev-public-ips.yaml \
  && crowdsec -t && systemctl restart crowdsec; systemctl status crowdsec.service
-name: base23/public-ips ## Must be unqiue
+name: s1q-dev/public-ips ## Must be unqiue
-description: "Whitelist events from base23 public IPs"
+description: "Whitelist events from s1q-dev public IPs"
 whitelist:
-  reason: "Base23 Public IPs"
+  reason: "s1q-dev Public IPs"
  expression:
-    - evt.Overflow.Alert.Source.IP in LookupHost("asterix.ddns.base23.de")
+    - evt.Overflow.Alert.Source.IP in LookupHost("r3w.de")
 EOF
 ```
@ -151,8 +118,8 @@ cscli collections install firix/authentik \
 ---
 source: docker
 container_name_regexp:
-  - sso-base23-de-server-*
+  - sso-s1q-dev-de-server-*
-  - sso-base23-de-worker-*
+  - sso-s1q-dev-de-worker-*
 labels:
  type: authentik
 EOF
@ -177,8 +144,8 @@ Setup notifications:
 ```shell
 cd /root/apps \
-  && git clone ssh://git@git.base23.de:222/base23/sso.base23.de.git \
+  && git clone ssh://git@git.base23.de:222/base23/sso.s1q.dev.git \
-  && cd sso.base23.de \
+  && cd sso.s1q.dev \
  && ./scripts/init.sh
 ```
@ -202,37 +169,47 @@ TARGET_IPV6=$(dig +short "${TARGET_DOMAIN}" AAAA | grep -E '^(([0-9a-fA-F]{1,4}:
 ### Fist run
 ```shell
-docker compose build --no-cache \
+./scripts/compose.sh build --no-cache \
    --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
    --build-arg SRC_REV=$(git rev-parse --short HEAD) \
-  && docker compose up -d; docker compose logs -f
+  && ./scripts/compose.sh up -d; ./scripts/compose.sh logs -f
 ```
 ## Upgrade
 ### Test
 This is intended for testing the upgrades before rollout on prod. 
-1. Check if the backups are up to date: `docker compose run --rm restore-cli /usr/local/bin/restic snapshots`
+1. Check if the backups are up to date: `./scripts/compose.sh run --rm restore-cli /usr/local/bin/restic snapshots`
-2. Update `AUTHENTIK_TAG` to the desired tag in `env.test.template`.
+2. Create a new branch `git checkout -b <version>`.
-3. Commit & push changes to the Repo.
+3. Download the the docker compose for the version you want to update:
-4. Run `diff --color='auto' env.test.template .env` to display the diff between
+   `curl -fsSL -o docker-compose.yml https://goauthentik.io/version/<version>/docker-compose.yml`
-`env.test.template` and `.env`.
+4. Update `AUTHENTIK_TAG` to the desired tag in `env.test.template`.
-5. Port the made changes to `.env`.
+5. Check the upstream `docker-compose.yml` file against ours for changes made in the configuration. Check the Postgresql and Redis docker tags. Minor revisions of Postgresql *should be fine*, check the changelogs for any issues and if none are present raise to the latest Minor version (e.g. 16.6 -> 16.9). Redis should be less problematic for upgrades, check nonetheless.
-6. `docker-compose-2.32.4 pull`
+6. Run `diff --color='auto' env.test.template .env` to display the diff between
-7. `docker-compose-2.32.4 down`
+   `env.test.template` and `.env`.
-8. `docker-compose-2.32.4 up -d; docker-compose-2.32.4 logs -f`
+7. Port the changes made to `.env`.
 8. `./scripts/compose.sh pull`
 9. `./scripts/compose.sh down`
 10. `./scripts/compose.sh up -d; ./scripts/compose.sh logs -f`
 9. Check the logs for any issues during during startup. Check if https://sso.test.base23.de is available and test the sso login (e.g https://whoami.test.base23.de) 
 10. Apply changes for test to prod files (`docker-compose.<stage>.yml`,  `env.<stage>.template`), commit & push changes to the Repo in a new branch and create a merge request in preparation for the prod upgrade
 ### Prod
 It is expected that the Upgrade has already been performed and tested on https://sso.test.base23.de, and the changes have been merged into main
-1. Check if the backups are up to date: `docker compose run --rm restore-cli /usr/local/bin/restic snapshots`
+1. Check if the backups are up to date: `./scripts/compose.sh run --rm restore-cli /usr/local/bin/restic snapshots`
-2. Update `AUTHENTIK_TAG` to the desired tag in `env.prod.template`.
+2. Create a new branch `git checkout -b <version>`.
-3. Commit & push changes to the Repo.
+3. Download the the docker compose for the version you want to update:
-4. Run `diff --color='auto' env.prod.template .env` to display the diff between
+   `curl -fsSL -o docker-compose.yml https://goauthentik.io/version/<version>/docker-compose.yml`
-`env.prod.template` and `.env`.
+4. Update `AUTHENTIK_TAG` to the desired tag in `env.prod.template`.
-5. Port the made changes to `.env`.
+5. Commit & push changes to the Repo.
-6. `docker compose pull`
+6. Run `diff --color='auto' env.prod.template .env` to display the diff between
-7. `docker compose down`
+   `env.prod.template` and `.env`.
-8. `docker compose up -d; docker compose logs -f`
+7. Port the made changes to `.env`.
 8. `./scripts/compose.sh pull`
 9. `./scripts/compose.sh down`
 10. `./scripts/compose.sh up -d; ./scripts/compose.sh logs -f`
 ## Disaster recovery / restore
--- a/data/nginx/default.conf.template
+++ b/data/nginx/default.conf.template
@ -1,90 +0,0 @@
 # Upstream where your authentik server is hosted.
 upstream authentik {
 	server server:9443;
 	# Improve performance by keeping some connections alive.
 	keepalive 10;
 }
 # Upgrade WebSocket if requested, otherwise use keepalive
 map $http_upgrade $connection_upgrade_keepalive {
 	default upgrade;
 	''      '';
 }
 # Server just for serving a health endpoint
 server {
 	listen 127.0.0.1:8181;
 	server_name localhost;
 	# replace with the IP address of your resolver
 	resolver ${NGINX_RESOLVER};
 	# Handle /health separately without serving any files
 	location = /health {
 		access_log off;
 		default_type text/plain;
 		return 200 'OK';
 	}
 }
 # Redirect to HTTPS
 server {
 	listen ${NGINX_HTTP_PORT};
 	listen [::]:${NGINX_HTTP_PORT};
 	server_name ${NGINX_SERVERNAME};
 	# Exclude Let's Encrypt directory from redirection
 	location /.well-known/acme-challenge/ {
 		root /var/www/letsencrypt;
 	}
 	# Redirect all other traffic to HTTPS
 	location / {
 		return 302 https://$host$request_uri;
 	}
 }
 # HTTPS Server
 server {
 	listen ${NGINX_HTTPS_PORT} ssl;
 	listen [::]:${NGINX_HTTPS_PORT} ssl;
 	http2 on;
 	server_name ${NGINX_SERVERNAME};
 	ssl_certificate /etc/nginx/ssl/certs/_.base23.de.crt;
 	ssl_certificate_key /etc/nginx/ssl/certs/_.base23.de.key;
 	ssl_session_timeout ${NGINX_SSL_SESSION_TIMEOUT};
 	ssl_session_cache ${NGINX_SSL_SESSION_CACHE};
 	ssl_dhparam /etc/nginx/ssl/dhparams.pem;
 	# intermediate configuration
 	ssl_protocols ${NGINX_SSL_PROTOCOLS};
 	ssl_ciphers ${NGINX_SSL_CIPHERS};
 	ssl_prefer_server_ciphers ${NGINX_SSL_PREFER_SERVER_CIPHERS};
 	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
 	add_header Strict-Transport-Security ${NGINX_HEADER_STRICT_TRANSPORT_SECURITY};
 	# OCSP stapling
 	ssl_stapling ${NGINX_SSL_STAPLING};
 	ssl_stapling_verify ${NGINX_SSL_STAPLING_VERIFY};
 	# verify chain of trust of OCSP response using Root CA and Intermediate certs
 	ssl_trusted_certificate /etc/nginx/ssl/certs/_.base23.de.issuer.crt;
 	# replace with the IP address of your resolver
 	resolver ${NGINX_RESOLVER};
 	client_max_body_size 50m;
 	location / {
 		proxy_pass https://authentik;
 		proxy_http_version 1.1;
 		proxy_set_header X-Forwarded-Proto $scheme;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header Host $http_host;
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection $connection_upgrade_keepalive;
 	}
 }
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@ -0,0 +1,121 @@
 ---
 services:
  geoipupdate:
    image: "maxmindinc/geoipupdate:latest"
    volumes:
      - "geoip:/usr/share/GeoIP"
    environment:
      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City GeoLite2-ASN"
      GEOIPUPDATE_FREQUENCY: "8"
      GEOIPUPDATE_ACCOUNT_ID: "${GEOIPUPDATE_ACCOUNT_ID:?MaxMind GeoIP account ID required}"
      GEOIPUPDATE_LICENSE_KEY: "${GEOIPUPDATE_LICENSE_KEY:?MaxMind GeoIP license key required}"
  postgresql:
    image: docker.io/library/postgres:${POSTGRES_TAG:?POSTGRES_TAG is not configured}
    volumes:
      - database:/var/lib/postgresql/data
      - backups_db:/var/lib/postgresql/backups
    networks:
      - backend
  redis:
    image: docker.io/library/redis:${REDIS_TAG:?REDIS_TAG is not configured}
    networks:
      - backend
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:?AUTHENTIK_TAG is not configured}
    environment:
      B23_ALLOW_UP: ${B23_ALLOW_UP:?Use the script ./scripts/compose.sh to run this compose!}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?PG_PASS is required. - Password for authentik's postgresql database}
    ports: []
    networks:
      - backend
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:?AUTHENTIK_TAG is not configured}
    environment:
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?PG_PASS is required. - Password for authentik's postgresql database}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data/authentik/media:/media
      - ./data/authentik/certs:/certs
      - ./data/authentik/custom-templates:/templates
      - geoip:/geoip
    networks:
      - backend
  backup:
    image: registry.git.base23.de/base23/backup/resticker:${RESTICKER_TAG:?RESTICKER_TAG is not configured}
    restart: unless-stopped
    environment:
      PRE_COMMANDS: |-
        cd /compose-project/
        [[ $($(docker compose &>/dev/null); echo "$?") -eq 0 ]] || apk add --no-cache docker-cli-compose
        docker compose exec -T postgresql pg_dump -U ${PG_USER:-authentik} -d ${PG_DB:-authentik} -f /var/lib/postgresql/backups/${PG_DB:-authentik}.sql
      RUN_ON_STARTUP: "false"
      BACKUP_CRON: "00 32 2 * * *"
      RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
      RESTIC_PASSWORD: '${RESTIC_REPO_PASSWORD:?Restic repository password is required}'
      RESTIC_BACKUP_SOURCES: /var/lib/postgresql/backups /var/lib/authentik/backups /var/lib/lego/backups
      RESTIC_BACKUP_ARGS: >-
        --tag ${RESTIC_TAG:?Restic tag is required}
        --verbose
      RESTIC_FORGET_ARGS: >-
        --keep-last 10
        --keep-daily 7
        --keep-weekly 5
        --keep-monthly 12
      TZ: Europe/Berlin
    volumes:
      - ./data/restic/ssh/:/run/secrets/.ssh:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - ./docker-compose.yml:/compose-project/docker-compose.yml:ro
      - ./.env:/compose-project/.env:ro
      - backups_db:/var/lib/postgresql/backups:ro
      - ./data/authentik/certs:/var/lib/authentik/backups/certs:ro
      - ./data/authentik/custom-templates:/var/lib/authentik/backups/templates:ro
      - ./data/authentik/media:/var/lib/authentik/backups/media:ro
      - ./data/.lego:/var/lib/lego/backups:ro
  prune-backup:
    image: registry.git.base23.de/base23/backup/resticker:${RESTICKER_TAG:?RESTICKER_TAG is not configured}
    restart: unless-stopped
    environment:
      SKIP_INIT: "true"
      RUN_ON_STARTUP: "false"
      PRUNE_CRON: "00 47 3 * * *"
      RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
      RESTIC_PASSWORD: '${RESTIC_REPO_PASSWORD:?Restic repository password is required}'
      TZ: Europe/Berlin
    volumes:
      - ./data/restic/ssh/:/run/secrets/.ssh:ro
  # prüft ob backups noch in Ordnung sind, evtl. erweitern zum prüfen der Daten
  check-backup:
    image: registry.git.base23.de/base23/backup/resticker:${RESTICKER_TAG:?RESTICKER_TAG is not configured}
    restart: unless-stopped
    environment:
      #RUN_ON_STARTUP: "true"
      SKIP_INIT: "true"
      CHECK_CRON: "00 08 04 * * *"
      RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
      RESTIC_PASSWORD: ${RESTIC_REPO_PASSWORD}
      #POST_COMMANDS_FAILURE: echo "Post Command Failure test" > /restic/message
      TZ: Europe/Berlin
    volumes:
      - ./data/restic/ssh/:/run/secrets/.ssh:ro
  restore-cli:
    image: registry.git.base23.de/base23/backup/resticker:${RESTICKER_TAG:?RESTICKER_TAG is not configured}
    entrypoint: /entrypoint-restore
 volumes:
  backups_db:
    driver: local
  geoip:
    driver: local
 networks:
  backend:
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@ -1,112 +1,13 @@
 ---
 # Based on authentiks official docker-compose.yml
 # Version: 2025.2.1
 services:
  geoipupdate:
    image: "maxmindinc/geoipupdate:latest"
    volumes:
      - "geoip:/usr/share/GeoIP"
    environment:
      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City GeoLite2-ASN"
      GEOIPUPDATE_FREQUENCY: "8"
      GEOIPUPDATE_ACCOUNT_ID: "${GEOIPUPDATE_ACCOUNT_ID:?MaxMind GeoIP account ID required}"
      GEOIPUPDATE_LICENSE_KEY: "${GEOIPUPDATE_LICENSE_KEY:?MaxMind GeoIP license key required}"
  postgresql:
    image: docker.io/library/postgres:${POSTGRES_TAG:?POSTGRES_TAG is not configured}
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
      - backups_db:/var/lib/postgresql/backups
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
    networks:
      - backend
  redis:
    image: docker.io/library/redis:${REDIS_TAG:?REDIS_TAG is not configured}
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
    networks:
      - backend
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:?AUTHENTIK_TAG is not configured}
    restart: unless-stopped
    command: server
    environment:
-      AUTHENTIK_REDIS__HOST: redis
+      B23_ALLOW_UP: "true"
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?PG_PASS is required. - Password for authentik's postgresql database}
    volumes:
      - ./data/authentik/media:/media
      - ./data/authentik/custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
    depends_on:
      postgresql:
        condition: service_healthy
      redis:
        condition: service_healthy
    networks:
      - backend
      - frontend
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:?AUTHENTIK_TAG is not configured}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?PG_PASS is required. - Password for authentik's postgresql database}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data/authentik/media:/media
      - ./data/authentik/certs:/certs
      - ./data/authentik/custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
    depends_on:
      postgresql:
        condition: service_healthy
      redis:
        condition: service_healthy
    networks:
      - backend
  nginx:
    build:
      context: ./docker/nginx
@ -150,96 +51,5 @@ services:
    networks:
      - frontend
  backup:
    image: registry.git.base23.de/base23/backup/resticker:${RESTICKER_TAG:?RESTICKER_TAG is not configured}
    restart: unless-stopped
    environment:
      PRE_COMMANDS: |-
        cd /compose-project/
        [[ $($(docker compose &>/dev/null); echo "$?") -eq 0 ]] || apk add --no-cache docker-cli-compose
        docker compose exec -T postgresql pg_dump -U ${PG_USER:-authentik} -d ${PG_DB:-authentik} -f /var/lib/postgresql/backups/${PG_DB:-authentik}.sql
      RUN_ON_STARTUP: "false"
      BACKUP_CRON: "00 32 2 * * *"
      RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
      RESTIC_PASSWORD: '${RESTIC_REPO_PASSWORD:?Restic repository password is required}'
      RESTIC_BACKUP_SOURCES: /var/lib/postgresql/backups /var/lib/authentik/backups /var/lib/lego/backups
      RESTIC_BACKUP_ARGS: >-
        --tag ${RESTIC_TAG:?Restic tag is required}
        --verbose
      RESTIC_FORGET_ARGS: >-
        --keep-last 10
        --keep-daily 7
        --keep-weekly 5
        --keep-monthly 12
      TZ: Europe/Berlin
    volumes:
      - ./data/restic/ssh/:/run/secrets/.ssh:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - ./docker-compose.yml:/compose-project/docker-compose.yml:ro
      - ./.env:/compose-project/.env:ro
      - backups_db:/var/lib/postgresql/backups:ro
      - ./data/authentik/certs:/var/lib/authentik/backups/certs:ro
      - ./data/authentik/custom-templates:/var/lib/authentik/backups/templates:ro
      - ./data/authentik/media:/var/lib/authentik/backups/media:ro
      - ./data/.lego:/var/lib/lego/backups:ro
  prune-backup:
    image: registry.git.base23.de/base23/backup/resticker:${RESTICKER_TAG:?RESTICKER_TAG is not configured}
    restart: unless-stopped
    environment:
      SKIP_INIT: "true"
      RUN_ON_STARTUP: "false"
      PRUNE_CRON: "00 47 3 * * *"
      RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
      RESTIC_PASSWORD: '${RESTIC_REPO_PASSWORD:?Restic repository password is required}'
      TZ: Europe/Berlin
    volumes:
      - ./data/restic/ssh/:/run/secrets/.ssh:ro
  # prüft ob backups noch in Ordnung sind, evtl. erweitern zum prüfen der Daten
  check-backup:
    image: registry.git.base23.de/base23/backup/resticker:${RESTICKER_TAG:?RESTICKER_TAG is not configured}
    restart: unless-stopped
    environment:
      #RUN_ON_STARTUP: "true"
      SKIP_INIT: "true"
      CHECK_CRON: "00 08 04 * * *"
      RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
      RESTIC_PASSWORD: ${RESTIC_REPO_PASSWORD}
      #POST_COMMANDS_FAILURE: echo "Post Command Failure test" > /restic/message
      TZ: Europe/Berlin
    volumes:
      - ./data/restic/ssh/:/run/secrets/.ssh:ro
  restore-cli:
    image: registry.git.base23.de/base23/backup/resticker:${RESTICKER_TAG:?RESTICKER_TAG is not configured}
    entrypoint: /entrypoint-restore
    environment:
      RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
      RESTIC_PASSWORD: '${RESTIC_REPO_PASSWORD:?Restic repository password is required}'
      TZ: Europe/Berlin
    volumes:
      - ./data/restic/ssh/:/run/secrets/.ssh:ro
      - ./docker-compose.yml:/compose-project/docker-compose.yml:ro
      - ./.env:/compose-project/.env:ro
      - backups_db:/var/lib/postgresql/backups:rw
      - ./data/authentik/certs:/var/lib/authentik/backups/certs:rw
      - ./data/authentik/custom-templates:/var/lib/authentik/backups/templates:rw
      - ./data/authentik/media:/var/lib/authentik/backups/media:rw
      - ./data/.lego:/var/lib/lego/backups:rw
 volumes:
  backups_db:
    driver: local
  database:
    driver: local
  redis:
    driver: local
  geoip:
    driver: local
 networks:
-  backend:
+  frontend:
  frontend:
--- a/docker-compose.test.yml
+++ b/docker-compose.test.yml
@ -1,75 +1,8 @@
 ---
 # Based on authentiks official docker-compose.yml
 # Version: 2025.2.1
 services:
  geoipupdate:
    image: "maxmindinc/geoipupdate:latest"
    volumes:
      - "geoip:/usr/share/GeoIP"
    environment:
      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City GeoLite2-ASN"
      GEOIPUPDATE_FREQUENCY: "8"
      GEOIPUPDATE_ACCOUNT_ID: "${GEOIPUPDATE_ACCOUNT_ID:?MaxMind GeoIP account ID required}"
      GEOIPUPDATE_LICENSE_KEY: "${GEOIPUPDATE_LICENSE_KEY:?MaxMind GeoIP license key required}"
  postgresql:
    image: docker.io/library/postgres:${POSTGRES_TAG:?POSTGRES_TAG is not configured}
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
      - backups_db:/var/lib/postgresql/backups
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
    networks:
      - backend
  redis:
    image: docker.io/library/redis:${REDIS_TAG:?REDIS_TAG is not configured}
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
    networks:
      - backend
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:?AUTHENTIK_TAG is not configured}
    restart: unless-stopped
    command: server
    environment:
-      AUTHENTIK_REDIS__HOST: redis
+      B23_ALLOW_UP: "true"
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?PG_PASS is required. - Password for authentik's postgresql database}
    volumes:
      - ./data/authentik/media:/media
      - ./data/authentik/custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
    depends_on:
      postgresql:
        condition: service_healthy
      redis:
        condition: service_healthy
    networks:
      - backend
      - web
@ -84,115 +17,6 @@ services:
      - "traefik.http.services.sso.loadbalancer.server.port=9443" # set port the container listenes to
      - "traefik.http.services.sso.loadbalancer.server.scheme=https"
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:?AUTHENTIK_TAG is not configured}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?PG_PASS is required. - Password for authentik's postgresql database}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data/authentik/media:/media
      - ./data/authentik/certs:/certs
      - ./data/authentik/custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
    depends_on:
      postgresql:
        condition: service_healthy
      redis:
        condition: service_healthy
    networks:
      - backend
  backup:
    image: registry.git.base23.de/base23/backup/resticker:${RESTICKER_TAG:?RESTICKER_TAG is not configured}
    restart: unless-stopped
    environment:
      PRE_COMMANDS: |-
        cd /compose-project/
        [[ $($(docker compose &>/dev/null); echo "$?") -eq 0 ]] || apk add --no-cache docker-cli-compose
        docker compose exec -T postgresql pg_dump -U ${PG_USER:-authentik} -d ${PG_DB:-authentik} -f /var/lib/postgresql/backups/${PG_DB:-authentik}.sql
      RUN_ON_STARTUP: "false"
      BACKUP_CRON: "00 32 2 * * *"
      RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
      RESTIC_PASSWORD: '${RESTIC_REPO_PASSWORD:?Restic repository password is required}'
      RESTIC_BACKUP_SOURCES: /var/lib/postgresql/backups /var/lib/authentik/backups /var/lib/lego/backups
      RESTIC_BACKUP_ARGS: >-
        --tag ${RESTIC_TAG:?Restic tag is required}
        --verbose
      RESTIC_FORGET_ARGS: >-
        --keep-last 10
        --keep-daily 7
        --keep-weekly 5
        --keep-monthly 12
      TZ: Europe/Berlin
    volumes:
      - ./data/restic/ssh/:/run/secrets/.ssh:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - ./docker-compose.yml:/compose-project/docker-compose.yml:ro
      - ./.env:/compose-project/.env:ro
      - backups_db:/var/lib/postgresql/backups:ro
      - ./data/authentik/certs:/var/lib/authentik/backups/certs:ro
      - ./data/authentik/custom-templates:/var/lib/authentik/backups/templates:ro
      - ./data/authentik/media:/var/lib/authentik/backups/media:ro
      - ./data/.lego:/var/lib/lego/backups:ro
  prune-backup:
    image: registry.git.base23.de/base23/backup/resticker:${RESTICKER_TAG:?RESTICKER_TAG is not configured}
    restart: unless-stopped
    environment:
      SKIP_INIT: "true"
      RUN_ON_STARTUP: "false"
      PRUNE_CRON: "00 47 3 * * *"
      RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
      RESTIC_PASSWORD: '${RESTIC_REPO_PASSWORD:?Restic repository password is required}'
      TZ: Europe/Berlin
    volumes:
      - ./data/restic/ssh/:/run/secrets/.ssh:ro
  restore-cli:
    image: registry.git.base23.de/base23/backup/resticker:${RESTICKER_TAG:?RESTICKER_TAG is not configured}
    entrypoint: /entrypoint-restore
    environment:
      RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
      RESTIC_PASSWORD: '${RESTIC_REPO_PASSWORD:?Restic repository password is required}'
      TZ: Europe/Berlin
    volumes:
      - ./data/restic/ssh/:/run/secrets/.ssh:ro
      - ./docker-compose.yml:/compose-project/docker-compose.yml:ro
      - ./.env:/compose-project/.env:ro
      - backups_db:/var/lib/postgresql/backups:rw
      - ./data/authentik/certs:/var/lib/authentik/backups/certs:rw
      - ./data/authentik/custom-templates:/var/lib/authentik/backups/templates:rw
      - ./data/authentik/media:/var/lib/authentik/backups/media:rw
      - ./data/.lego:/var/lib/lego/backups:rw
 volumes:
  backups_db:
    driver: local
  database:
    driver: local
  redis:
    driver: local
  geoip:
    driver: local
 networks:
  backend:
  web:
-    external: true
+    external: true
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,92 @@
 ---
 services:
  postgresql:
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.2}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      postgresql:
        condition: service_healthy
      redis:
        condition: service_healthy
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.2}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      postgresql:
        condition: service_healthy
      redis:
        condition: service_healthy
 volumes:
  database:
    driver: local
  redis:
    driver: local
--- a/docker/nginx/Dockerfile
+++ b/docker/nginx/Dockerfile
@ -1,83 +0,0 @@
 ARG IMAGE=nginxinc/nginx-unprivileged:stable-bullseye
 FROM $IMAGE AS builder
 ARG HTTP_SUBSTITUTIONS_VERSION='e12e965ac1837ca709709f9a26f572a54d83430e'
 ARG HEADERS_MORE_VERSION='0.37'
 USER root
 RUN set -x \
    && apt-get update \
    && apt-get install -y --no-install-recommends \
        build-essential \
        libgd-dev \
        libgeoip-dev \
        libedit-dev \
        libxslt1-dev \
        libssl-dev \
        libpcre2-dev \
        libperl-dev \
        zlib1g-dev \
        unzip \
    && rm -rf /var/lib/apt/lists/* \
    && mkdir -p /usr/src \
    && curl \
        -o nginx.tar.gz \
        https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \
    && curl -L \
        -o nginx_substitutions_filter.zip \
        https://codeload.github.com/yaoweibin/ngx_http_substitutions_filter_module/zip/${HTTP_SUBSTITUTIONS_VERSION} \
    && curl -L \
        -o headers-more-nginx-module.zip \
        https://codeload.github.com/openresty/headers-more-nginx-module/zip/refs/tags/v${HEADERS_MORE_VERSION} \
    && tar -zxC /usr/src -f nginx.tar.gz \
    && unzip nginx_substitutions_filter.zip -d /usr/src \
    && unzip headers-more-nginx-module.zip -d /usr/src \
    && rm nginx.tar.gz \
    && rm nginx_substitutions_filter.zip \
    && rm headers-more-nginx-module.zip \
    && cd /usr/src/nginx-${NGINX_VERSION} \
    && set -eux \
    && eval ./configure $(nginx -V 2>&1 | sed -n -e "s/^.*configure arguments: //p") \
        --add-dynamic-module=/usr/src/ngx_http_substitutions_filter_module-${HTTP_SUBSTITUTIONS_VERSION} \
        --add-dynamic-module=/usr/src/headers-more-nginx-module-${HEADERS_MORE_VERSION} \
        --with-http_sub_module \
    && set +eux \
    && make \
    && make install
 FROM $IMAGE
 ARG BUILD_DATE=01.01.1970
 ARG IMG_TITLE=docker-image
 ARG IMAGE_VERSION=0
 ARG SRC_REV=0
 COPY --from=builder --chown=root:root --chmod=0644 /usr/lib/nginx/modules/ngx_http_subs_filter_module.so /usr/lib/nginx/modules/ngx_http_subs_filter_module.so
 COPY --from=builder --chown=root:root --chmod=0644 /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so
 COPY --from=builder --chown=root:root --chmod=0755 /usr/sbin/nginx /usr/sbin/nginx
 RUN sed -i '1iload_module /usr/lib/nginx/modules/ngx_http_subs_filter_module.so;\n' /etc/nginx/nginx.conf \
    &&  sed -i '1iload_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;\n' /etc/nginx/nginx.conf
 # Redirect log output to stdout and stderr
 RUN set -x \
    && sed -i 's,/var/log/nginx/error.log,/dev/stderr,' /etc/nginx/nginx.conf \
    && sed -i 's,/var/log/nginx/access.log,/dev/stdout,' /etc/nginx/nginx.conf
 # Healthcheck to ping the /health endpoint
 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl --fail http://localhost:8181/health || exit 1
 LABEL \
    maintainer="philip.henning@base23.de" \
    org.opencontainers.image.created="${BUILD_DATE}" \
    org.opencontainers.image.vendor="Base23 GmbH" \
    org.opencontainers.image.authors="Philip Henning | Base23 GmbH <philip.henning@base23.de>" \
    org.opencontainers.image.title="${IMG_TITLE}" \
    org.opencontainers.image.description="rootless nginx image based on nginxinc/nginx-unprivileged with subst module" \
    org.opencontainers.image.version="${IMAGE_VERSION}" \
    org.opencontainers.image.source="https://git.base23.de/base23/sso.base23.de" \
    org.opencontainers.image.revision="${SRC_REV}"
--- a/env.prod.template
+++ b/env.prod.template
@ -4,9 +4,9 @@ PUBLIC_DOMAIN=sso.base23.de
 COMPOSE_PROJECT_NAME=sso-base23-de
 # Server Versions
-AUTHENTIK_TAG=2025.2.4
+AUTHENTIK_TAG=2025.6.4
-POSTGRES_TAG=16.6-alpine
+POSTGRES_TAG=16.9-alpine
-REDIS_TAG=7.4.2-alpine
+REDIS_TAG=8.0-alpine
 RESTICKER_TAG=0.0.2-restic0.17.0
 NGINX_UNPRIVILEGED_TAG=1.27.2-bookworm
--- a/env.test.template
+++ b/env.test.template
@ -4,9 +4,9 @@ PUBLIC_DOMAIN=sso.test.base23.de
 COMPOSE_PROJECT_NAME=sso-base23-de
 # Server Versions
-AUTHENTIK_TAG=2025.2.4
+AUTHENTIK_TAG=2025.6.4
-POSTGRES_TAG=16.6-alpine
+POSTGRES_TAG=16.9-alpine
-REDIS_TAG=7.4.2-alpine
+REDIS_TAG=8.0-alpine
 RESTICKER_TAG=0.0.2-restic0.17.0
 # Error reporting & Logging
--- a/scripts/cert_renew.sh
+++ b/scripts/cert_renew.sh
@ -1,12 +0,0 @@
 #!/usr/bin/env bash
 set -euf -o pipefail
 cd "$(dirname "$(realpath "$0")")/../"
 lego \
 	--path ./data/.lego \
 	--email="acme@base23.de" \
 	--domains="*.base23.de" \
 	--dns hetzner \
 	renew \
 	--renew-hook="./scripts/cert_renew_hook.sh"
--- a/scripts/cert_renew_hook.sh
+++ b/scripts/cert_renew_hook.sh
@ -1,8 +0,0 @@
 #!/usr/bin/env bash
 set -euf -o pipefail
 cd "$(dirname "$(realpath "$0")")/../"
 install -m 400 -o 101 -g 101 "./data/.lego/certificates"/{_.base23.de.crt,_.base23.de.issuer.crt,_.base23.de.key} "./data/nginx/certs"
 docker compose restart nginx
--- a/scripts/compose.sh
+++ b/scripts/compose.sh
@ -0,0 +1,32 @@
 #!/usr/bin/env bash
 set -euf -o pipefail
 # Check if yq is installed
 if ! command -v yq &>/dev/null; then
  echo "yq is required but not installed. Please install it manually."
  exit 1
 fi
 STAGE="${1:-}"
 shift || true
 if [[ -z "${STAGE,,}" ]]; then
  echo "Usage: $0 <stage>"
  echo "Example: $0 test"
  exit 1
 fi
 cd "$(dirname "$(realpath "$0")")/../"
 AUTHENTIK_DOCKER_COMPOSE_PATH="$(realpath "$(pwd)")"
 # Merge docker-compose files using yq
 # 1st merger is docker-compose.override.yml on top of the base docker-compose.yml
 # 2nd merger is the stage-specific docker-compose file on top of the result of the first merger
 # The final result is piped to docker compose command
 yq eval-all 'select(fileIndex == 0) * select(fileIndex == 1)' \
    docker-compose.yml \
    docker-compose.override.yml \
  |  yq eval-all 'select(fileIndex == 0) * select(fileIndex == 1)' \
    - \
    docker-compose.${STAGE,,}.yml \
  | ${DOCKER_COMPOSE_CLI} -f- ${@:-}
Author	SHA1	Message	Date
phg	810d7e0cb9	Merge branch 'refactor-docker-compose'	2025-07-26 00:10:37 +02:00
phg	e356e4cf16	cleanup; Readme still in WIP	2025-07-26 00:08:06 +02:00
Philip Henning	cb16fa06b4	Merge branch '2025.6' into 'main' Authentik Upgrade 2025.6 See merge request base23/sso.base23.de!2	2025-07-22 15:59:19 +02:00
Simon Stumpe	317564c27e	Patch 2025.6.4	2025-07-22 15:49:57 +02:00
Simon Stumpe	61e5fe0270	changed login example	2025-07-22 15:41:36 +02:00
Simon Stumpe	3ad1c0c670	Edit README.md	2025-07-22 15:30:50 +02:00
Simon Stumpe	e636c4d7e5	Updated upgrade documentation	2025-07-22 15:30:00 +02:00
Simon Stumpe	c4714b03e6	Upgrade to 2025.6	2025-07-22 14:04:46 +02:00
Simon Stumpe	e43cdb811b	Upgrade to 2025.6	2025-07-22 14:03:27 +02:00
Philip Henning	2e3343403f	Merge branch '2025.4' into 'main' Authentik Upgrade to 2025.4 See merge request base23/sso.base23.de!1	2025-07-22 13:12:20 +02:00
Simon Stumpe	df1f06819e	Set AUTHENTIK_TAG=2025.4.2	2025-07-22 13:09:52 +02:00
Philip Henning	5e79ef4251	bump Authentik version to 2025.4.2 in test environment	2025-06-19 20:13:21 +02:00
Philip Henning	321acaf85d	Refactor docker-compose setup and update Authentik version to 2025.4.2	2025-06-19 20:11:30 +02:00