auto secrets with bash

GW/authentik,yml

@@ -1,34 +1,74 @@
 services:
+  # Init service - generates secrets on first run and outputs them to logs
+  init-secrets:
+    image: alpine:latest
+    command:
+      - sh
+      - -c
+      - |
+        if [ ! -f /secrets/.initialized ]; then
+          PG_PASS=$$(head -c 32 /dev/urandom | base64 | tr -d '\n')
+          SECRET_KEY=$$(head -c 64 /dev/urandom | base64 | tr -d '\n')
+          echo "$$PG_PASS" > /secrets/pg_pass
+          echo "$$SECRET_KEY" > /secrets/secret_key
+          touch /secrets/.initialized
+          echo "========================================================"
+          echo "  AUTHENTIK SECRETS GENERATED - SAVE THESE!"
+          echo "========================================================"
+          echo "PG_PASS: $$PG_PASS"
+          echo ""
+          echo "AUTHENTIK_SECRET_KEY: $$SECRET_KEY"
+          echo "========================================================"
+        else
+          echo "Secrets already initialized, skipping generation."
+          echo "PG_PASS: $$(cat /secrets/pg_pass)"
+          echo "AUTHENTIK_SECRET_KEY: $$(cat /secrets/secret_key)"
+        fi
+    volumes:
+      - secrets:/secrets
+    restart: "no"
+
   postgresql:
+    image: docker.io/library/postgres:16-alpine
+    depends_on:
+      init-secrets:
+        condition: service_completed_successfully
     environment:
       POSTGRES_DB: authentik
-      POSTGRES_PASSWORD: CHANGE_THIS_TO_A_SECURE_PASSWORD_1
       POSTGRES_USER: authentik
+      POSTGRES_PASSWORD_FILE: /secrets/pg_pass
     healthcheck:
       interval: 30s
       retries: 5
       start_period: 20s
       test:
         - CMD-SHELL
-        - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
+        - pg_isready -d authentik -U authentik
       timeout: 5s
-    image: docker.io/library/postgres:16-alpine
     restart: unless-stopped
     volumes:
       - database:/var/lib/postgresql/data
+      - secrets:/secrets:ro
 
   server:
+    image: ghcr.io/goauthentik/server:2025.10.3
     command: server
     depends_on:
       postgresql:
         condition: service_healthy
+      init-secrets:
+        condition: service_completed_successfully
+    entrypoint:
+      - sh
+      - -c
+      - |
+        export AUTHENTIK_SECRET_KEY=$$(cat /secrets/secret_key)
+        export AUTHENTIK_POSTGRESQL__PASSWORD=$$(cat /secrets/pg_pass)
+        exec /usr/local/bin/dumb-init -- ak server
     environment:
       AUTHENTIK_POSTGRESQL__HOST: postgresql
       AUTHENTIK_POSTGRESQL__NAME: authentik
-      AUTHENTIK_POSTGRESQL__PASSWORD: CHANGE_THIS_TO_A_SECURE_PASSWORD_1
       AUTHENTIK_POSTGRESQL__USER: authentik
-      AUTHENTIK_SECRET_KEY: CHANGE_THIS_TO_A_LONG_RANDOM_SECRET_KEY_AT_LEAST_50_CHARS
-    image: ghcr.io/goauthentik/server:2025.10.3
     ports:
       - 9000:9000
       - 9443:9443
@@ -36,19 +76,27 @@ services:
     volumes:
       - ./media:/media
       - ./custom-templates:/templates
+      - secrets:/secrets:ro
 
   worker:
+    image: ghcr.io/goauthentik/server:2025.10.3
     command: worker
     depends_on:
       postgresql:
         condition: service_healthy
+      init-secrets:
+        condition: service_completed_successfully
+    entrypoint:
+      - sh
+      - -c
+      - |
+        export AUTHENTIK_SECRET_KEY=$$(cat /secrets/secret_key)
+        export AUTHENTIK_POSTGRESQL__PASSWORD=$$(cat /secrets/pg_pass)
+        exec /usr/local/bin/dumb-init -- ak worker
     environment:
       AUTHENTIK_POSTGRESQL__HOST: postgresql
       AUTHENTIK_POSTGRESQL__NAME: authentik
-      AUTHENTIK_POSTGRESQL__PASSWORD: CHANGE_THIS_TO_A_SECURE_PASSWORD_1
       AUTHENTIK_POSTGRESQL__USER: authentik
-      AUTHENTIK_SECRET_KEY: CHANGE_THIS_TO_A_LONG_RANDOM_SECRET_KEY_AT_LEAST_50_CHARS
-    image: ghcr.io/goauthentik/server:2025.10.3
     restart: unless-stopped
     user: root
     volumes:
@@ -56,7 +104,10 @@ services:
       - ./media:/media
       - ./certs:/certs
       - ./custom-templates:/templates
+      - secrets:/secrets:ro
 
 volumes:
   database:
     driver: local
+  secrets:
+    driver: local