authentik/docker-compose.prod.yml

---

services:
  server:
    environment:
      B23_ALLOW_UP: "true"
    networks:
      - backend
      - frontend

  nginx:
    build:
      context: ./docker/nginx
      dockerfile: Dockerfile
      args:
        IMAGE: "nginxinc/nginx-unprivileged:${NGINX_UNPRIVILEGED_TAG:?NGINX_UNPRIVILEGED_TAG is not configured}"
        IMG_TITLE: "nginx-unprivileged-base23"
        IMAGE_VERSION: "COMPOSE"
    depends_on:
      server:
        condition: service_healthy
    environment:
      - NGINX_HTTP_PORT=${NGINX_HTTP_PORT:-8080}
      - NGINX_HTTPS_PORT=${NGINX_HTTPS_PORT:-8443}
      - NGINX_RESOLVER=${NGINX_RESOLVER:-127.0.0.11}
      - NGINX_SERVERNAME=${NGINX_SERVERNAME:?Server name is required}
      - NGINX_SSL_SESSION_TIMEOUT=${NGINX_SSL_SESSION_TIMEOUT:-1d}
      - NGINX_SSL_SESSION_CACHE=${NGINX_SSL_SESSION_CACHE:-shared:MozSSL:10m}
      - NGINX_SSL_PROTOCOLS=${NGINX_SSL_PROTOCOLS:-TLSv1.2 TLSv1.3}
      - NGINX_SSL_CIPHERS=${NGINX_SSL_CIPHERS:-ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305}
      - NGINX_SSL_PREFER_SERVER_CIPHERS=${NGINX_SSL_PREFER_SERVER_CIPHERS:-off}
      - NGINX_HEADER_STRICT_TRANSPORT_SECURITY=${NGINX_HEADER_STRICT_TRANSPORT_SECURITY:-'"max-age=63072000" always'}
      - NGINX_SSL_STAPLING=${NGINX_SSL_STAPLING:-on}
      - NGINX_SSL_STAPLING_VERIFY=${NGINX_SSL_STAPLING_VERIFY:-on}
    volumes:
      - ./data/nginx/default.conf.template:/etc/nginx/templates/default.conf.template:ro
      - ./data/nginx/dhparams.pem:/etc/nginx/ssl/dhparams.pem:ro
      - ./data/nginx/certs:/etc/nginx/ssl/certs:ro
      - ./data/nginx/acme:/var/www/letsencrypt:ro
    ports:
      - target: 8080
        published: "80"
        protocol: tcp
        app_protocol: http # Docker Compose 2.26.0
        mode: ingress
      - target: 8443
        published: "443"
        protocol: tcp
        app_protocol: https # Docker Compose 2.26.0
        mode: ingress
    networks:
      - frontend

networks:
  frontend: