--- services: geoipupdate: image: "maxmindinc/geoipupdate:latest" volumes: - "geoip:/usr/share/GeoIP" environment: GEOIPUPDATE_EDITION_IDS: "GeoLite2-City GeoLite2-ASN" GEOIPUPDATE_FREQUENCY: "8" GEOIPUPDATE_ACCOUNT_ID: "${GEOIPUPDATE_ACCOUNT_ID:?MaxMind GeoIP account ID required}" GEOIPUPDATE_LICENSE_KEY: "${GEOIPUPDATE_LICENSE_KEY:?MaxMind GeoIP license key required}" postgresql: image: docker.io/library/postgres:16-alpine restart: unless-stopped healthcheck: test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] start_period: 20s interval: 30s retries: 5 timeout: 5s volumes: - database:/var/lib/postgresql/data environment: POSTGRES_PASSWORD: ${PG_PASS:?database password required} POSTGRES_USER: ${PG_USER:-authentik} POSTGRES_DB: ${PG_DB:-authentik} env_file: - .env networks: - backend redis: image: docker.io/library/redis:alpine command: --save 60 1 --loglevel warning restart: unless-stopped healthcheck: test: ["CMD-SHELL", "redis-cli ping | grep PONG"] start_period: 20s interval: 30s retries: 5 timeout: 3s volumes: - redis:/data networks: - backend server: image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0} restart: unless-stopped command: server environment: AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} volumes: - ./data/media:/media - ./data/custom-templates:/templates - geoip:/geoip env_file: - .env depends_on: - postgresql - redis networks: - backend - frontend worker: image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0} restart: unless-stopped command: worker environment: AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} # `user: root` and the docker socket volume are optional. # See more for the docker socket integration here: # https://goauthentik.io/docs/outposts/integrations/docker # Removing `user: root` also prevents the worker from fixing the permissions # on the mounted folders, so when removing this make sure the folders have the correct UID/GID # (1000:1000 by default) user: root volumes: - /var/run/docker.sock:/var/run/docker.sock - ./data/media:/media - ./data/certs:/certs - ./data/custom-templates:/templates - geoip:/geoip env_file: - .env depends_on: - postgresql - redis networks: - backend nginx: build: context: ./docker/nginx dockerfile: Dockerfile args: IMAGE: "nginxinc/nginx-unprivileged:1.27.2-bookworm" IMG_TITLE: "nginx-unprivileged-base23" IMAGE_VERSION: "COMPOSE" environment: - NGINX_HTTP_PORT=${NGINX_HTTP_PORT} - NGINX_HTTPS_PORT=${NGINX_HTTPS_PORT} - NGINX_RESOLVER=${NGINX_RESOLVER} - NGINX_SERVERNAME=${NGINX_SERVERNAME} - NGINX_SSL_SESSION_TIMEOUT=${NGINX_SSL_SESSION_TIMEOUT} - NGINX_SSL_SESSION_CACHE=${NGINX_SSL_SESSION_CACHE} - NGINX_SSL_PROTOCOLS=${NGINX_SSL_PROTOCOLS} - NGINX_SSL_CIPHERS=${NGINX_SSL_CIPHERS} - NGINX_SSL_PREFER_SERVER_CIPHERS=${NGINX_SSL_PREFER_SERVER_CIPHERS} - NGINX_HEADER_STRICT_TRANSPORT_SECURITY=${NGINX_HEADER_STRICT_TRANSPORT_SECURITY} - NGINX_SSL_STAPLING=${NGINX_SSL_STAPLING} - NGINX_SSL_STAPLING_VERIFY=${NGINX_SSL_STAPLING_VERIFY} volumes: - ./data/nginx/default.conf.template:/etc/nginx/templates/default.conf.template:ro - ./data/nginx/dhparams.pem:/etc/nginx/ssl/dhparams.pem:ro - ./data/nginx/certs:/etc/nginx/ssl/certs:ro - ./data/nginx/acme:/var/www/letsencrypt:ro ports: - target: 8080 published: "80" protocol: tcp app_protocol: http # Docker Compose 2.26.0 mode: ingress - target: 8443 published: "443" protocol: tcp app_protocol: https # Docker Compose 2.26.0 mode: ingress networks: - frontend volumes: database: driver: local redis: driver: local geoip: driver: local networks: backend: frontend: