services:
  # Init service - generates secrets on first run and outputs them to logs
  init-secrets:
    image: alpine:latest
    command:
      - sh
      - -c
      - |
        if [ ! -f /secrets/.initialized ]; then
          PG_PASS=$$(head -c 32 /dev/urandom | base64 | tr -d '\n')
          SECRET_KEY=$$(head -c 64 /dev/urandom | base64 | tr -d '\n')
          echo "$$PG_PASS" > /secrets/pg_pass
          echo "$$SECRET_KEY" > /secrets/secret_key
          touch /secrets/.initialized
          echo "========================================================"
          echo "  AUTHENTIK SECRETS GENERATED - SAVE THESE!"
          echo "========================================================"
          echo "PG_PASS: $$PG_PASS"
          echo ""
          echo "AUTHENTIK_SECRET_KEY: $$SECRET_KEY"
          echo "========================================================"
        else
          echo "Secrets already initialized, skipping generation."
          echo "PG_PASS: $$(cat /secrets/pg_pass)"
          echo "AUTHENTIK_SECRET_KEY: $$(cat /secrets/secret_key)"
        fi
    volumes:
      - secrets:/secrets
    restart: "no"

  postgresql:
    image: docker.io/library/postgres:16-alpine
    depends_on:
      init-secrets:
        condition: service_completed_successfully
    environment:
      POSTGRES_DB: authentik
      POSTGRES_USER: authentik
      POSTGRES_PASSWORD_FILE: /secrets/pg_pass
    healthcheck:
      interval: 30s
      retries: 5
      start_period: 20s
      test:
        - CMD-SHELL
        - pg_isready -d authentik -U authentik
      timeout: 5s
    restart: unless-stopped
    volumes:
      - database:/var/lib/postgresql/data
      - secrets:/secrets:ro

  server:
    image: ghcr.io/goauthentik/server:2025.10.3
    depends_on:
      postgresql:
        condition: service_healthy
      init-secrets:
        condition: service_completed_successfully
    entrypoint: ["/bin/bash", "-c"]
    command:
      - |
        export AUTHENTIK_SECRET_KEY=$$(cat /secrets/secret_key)
        export AUTHENTIK_POSTGRESQL__PASSWORD=$$(cat /secrets/pg_pass)
        exec ak server
    environment:
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__USER: authentik
    ports:
      - 9002:9000
      - 9443:9443
    restart: unless-stopped
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
      - secrets:/secrets:ro

  worker:
    image: ghcr.io/goauthentik/server:2025.10.3
    depends_on:
      postgresql:
        condition: service_healthy
      init-secrets:
        condition: service_completed_successfully
    entrypoint: ["/bin/bash", "-c"]
    command:
      - |
        export AUTHENTIK_SECRET_KEY=$$(cat /secrets/secret_key)
        export AUTHENTIK_POSTGRESQL__PASSWORD=$$(cat /secrets/pg_pass)
        exec ak worker
    environment:
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__USER: authentik
    restart: unless-stopped
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
      - secrets:/secrets:ro

volumes:
  database:
    driver: local
  secrets:
    driver: local