From 242a3b7e681b92567f9ed242172fb305f36ff867 Mon Sep 17 00:00:00 2001
From: Eduardo David Paredes Vara <paredes1516@gmail.com>
Date: Wed, 3 Dec 2025 14:28:04 +0000
Subject: [PATCH] authentik

---
 authentik/docker-compose.yml | 100 +++++++++++++++++++++++++++++++++++
 authentik/stack.env          |  30 +++++++++++
 2 files changed, 130 insertions(+)
 create mode 100644 authentik/docker-compose.yml
 create mode 100644 authentik/stack.env

diff --git a/authentik/docker-compose.yml b/authentik/docker-compose.yml
new file mode 100644
index 0000000..18f23ec
--- /dev/null
+++ b/authentik/docker-compose.yml
@@ -0,0 +1,100 @@
+services:
+  authentik-postgres:
+    image: ${AUTHENTIK_POSTGRES_IMAGE}
+    restart: unless-stopped
+    environment:
+      POSTGRES_PASSWORD: ${AUTHENTIK_DB_PASSWORD}
+      POSTGRES_USER: ${AUTHENTIK_DB_USER}
+      POSTGRES_DB: ${AUTHENTIK_DB_NAME}
+    volumes:
+      - ${AUTHENTIK_POSTGRES_PATH}:/var/lib/postgresql/data:Z
+    networks:
+      - authentik_internal
+
+  authentik-redis:
+    image: ${AUTHENTIK_REDIS_IMAGE}
+    restart: unless-stopped
+    command: ["redis-server", "--save", "60", "1", "--loglevel", "warning"]
+    volumes:
+      - ${AUTHENTIK_REDIS_PATH}:/data:Z
+    networks:
+      - authentik_internal
+
+  authentik-server:
+    image: ${AUTHENTIK_IMAGE}
+    restart: unless-stopped
+    command: ["server"]
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+
+      AUTHENTIK_POSTGRESQL__HOST: ${AUTHENTIK_DB_HOST}
+      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_DB_USER}
+      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_DB_NAME}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
+
+      AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS_HOST}
+
+      # Bootstrap inicial (primera vez)
+      AUTHENTIK_BOOTSTRAP_EMAIL: ${AUTHENTIK_BOOTSTRAP_EMAIL}
+      AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
+      AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN}
+
+    depends_on:
+      - authentik-postgres
+      - authentik-redis
+
+    expose:
+      - "${AUTHENTIK_HTTP_PORT}"
+
+    networks:
+      - authentik_internal
+      - proxy
+
+    labels:
+      traefik.enable: "true"
+      traefik.docker.network: "${TRAEFIK_DOCKER_NETWORK}"
+
+      # Router del panel de Authentik
+      traefik.http.routers.authentik.rule: "Host(`${AUTHENTIK_DOMAIN}`)"
+      traefik.http.routers.authentik.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
+      traefik.http.routers.authentik.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
+      traefik.http.services.authentik.loadbalancer.server.port: "${AUTHENTIK_HTTP_PORT}"
+
+      # Middleware de forwardAuth que usaremos en Portainer, Pi-hole, etc.
+      traefik.http.middlewares.authentik.forwardauth.address: "http://authentik-server:${AUTHENTIK_HTTP_PORT}/outpost.goauthentik.io/auth/traefik"
+      traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: "true"
+      traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: "X-Authentik-Username,X-Authentik-Groups,X-Authentik-Email,X-Authentik-Uid,X-Authentik-Jwt"
+
+      # Callback del outpost en gitea hacia Authentik
+      traefik.http.routers.authentik-outpost-gitea.rule: "Host(`${GITEA_DOMAIN}`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      traefik.http.routers.authentik-outpost-gitea.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
+      traefik.http.routers.authentik-outpost-gitea.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
+      traefik.http.routers.authentik-outpost-gitea.service: "authentik"
+      traefik.http.routers.authentik-outpost-gitea.priority: "50"
+
+  authentik-worker:
+    image: ${AUTHENTIK_IMAGE}
+    restart: unless-stopped
+    command: ["worker"]
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+
+      AUTHENTIK_POSTGRESQL__HOST: ${AUTHENTIK_DB_HOST}
+      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_DB_USER}
+      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_DB_NAME}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
+
+      AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS_HOST}
+
+    depends_on:
+      - authentik-postgres
+      - authentik-redis
+    networks:
+      - authentik_internal
+
+networks:
+  proxy:
+    external: true
+  authentik_internal:
+    driver: bridge
+
diff --git a/authentik/stack.env b/authentik/stack.env
new file mode 100644
index 0000000..4079fbc
--- /dev/null
+++ b/authentik/stack.env
@@ -0,0 +1,30 @@
+##### Imágenes #####
+AUTHENTIK_POSTGRES_IMAGE=
+AUTHENTIK_REDIS_IMAGE=
+AUTHENTIK_IMAGE=
+
+##### Base de datos Authentik #####
+AUTHENTIK_DB_PASSWORD=
+AUTHENTIK_DB_USER=
+AUTHENTIK_DB_NAME=
+AUTHENTIK_DB_HOST=
+AUTHENTIK_POSTGRES_PATH=
+
+##### Redis #####
+AUTHENTIK_REDIS_HOST=
+AUTHENTIK_REDIS_PATH=
+
+##### Authentik #####
+AUTHENTIK_SECRET_KEY=
+AUTHENTIK_BOOTSTRAP_EMAIL=
+AUTHENTIK_BOOTSTRAP_PASSWORD=
+AUTHENTIK_BOOTSTRAP_TOKEN=
+AUTHENTIK_HTTP_PORT=
+
+##### Traefik / dominios #####
+TRAEFIK_DOCKER_NETWORK=
+AUTHENTIK_DOMAIN=
+GITEA_DOMAIN=
+TRAEFIK_ENTRYPOINT_SECURE=
+TRAEFIK_CERTRESOLVER=
+