From f8cd4c2df11afe663b4c461e1cf48623e3755417 Mon Sep 17 00:00:00 2001
From: Eduardo David Paredes Vara <paredes1516@gmail.com>
Date: Tue, 17 Feb 2026 08:36:30 +0000
Subject: [PATCH] ak update

---
 authentik/docker-compose.yml | 88 +++++++++++++++++-------------------
 1 file changed, 42 insertions(+), 46 deletions(-)

diff --git a/authentik/docker-compose.yml b/authentik/docker-compose.yml
index 1019d9b..d6cf412 100644
--- a/authentik/docker-compose.yml
+++ b/authentik/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
-  authentik-postgres:
+  ths-authentik-postgres:
     image: ${AUTHENTIK_POSTGRES_IMAGE}
-    container_name: authentik-postgres
+    container_name: ths-authentik-postgres
     restart: unless-stopped
     environment:
       POSTGRES_PASSWORD: ${AUTHENTIK_DB_PASSWORD}
@@ -10,46 +10,47 @@ services:
     volumes:
       - ${AUTHENTIK_POSTGRES_PATH}:/var/lib/postgresql/data:Z
     networks:
-      - authentik_internal
+      - ths_authentik_internal
 
-  authentik-redis:
+  ths-authentik-redis:
     image: ${AUTHENTIK_REDIS_IMAGE}
-    container_name: authentik-redis
+    container_name: ths-authentik-redis
     restart: unless-stopped
     command: ["redis-server", "--save", "60", "1", "--loglevel", "warning"]
     volumes:
       - ${AUTHENTIK_REDIS_PATH}:/data:Z
     networks:
-      - authentik_internal
+      - ths_authentik_internal
 
-  authentik-server:
+  ths-authentik-server:
     image: ${AUTHENTIK_IMAGE}
-    container_name: authentik-server
+    container_name: ths-authentik-server
     restart: unless-stopped
     command: ["server"]
     environment:
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
 
-      AUTHENTIK_POSTGRESQL__HOST: ${AUTHENTIK_DB_HOST}
+      # OJO: forzamos hosts internos para evitar colisiones y depender del .env
+      AUTHENTIK_POSTGRESQL__HOST: ths-authentik-postgres
       AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_DB_USER}
       AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_DB_NAME}
       AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
 
-      AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS_HOST}
+      AUTHENTIK_REDIS__HOST: ths-authentik-redis
 
       AUTHENTIK_BOOTSTRAP_EMAIL: ${AUTHENTIK_BOOTSTRAP_EMAIL}
       AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
       AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN}
 
     depends_on:
-      - authentik-postgres
-      - authentik-redis
+      - ths-authentik-postgres
+      - ths-authentik-redis
 
     expose:
       - "${AUTHENTIK_HTTP_PORT}"
 
     networks:
-      - authentik_internal
+      - ths_authentik_internal
       - proxy
 
     labels:
@@ -57,60 +58,55 @@ services:
       traefik.docker.network: "${TRAEFIK_DOCKER_NETWORK}"
 
       # Service Authentik (panel + endpoints)
-      traefik.http.services.authentik.loadbalancer.server.port: "${AUTHENTIK_HTTP_PORT}"
+      traefik.http.services.ths-authentik.loadbalancer.server.port: "${AUTHENTIK_HTTP_PORT}"
 
       # Panel Authentik (auth.thehomelesssherlock.com)
-      traefik.http.routers.authentik.rule: "Host(`${AUTHENTIK_DOMAIN}`)"
-      traefik.http.routers.authentik.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
-      traefik.http.routers.authentik.tls: "true"
-      traefik.http.routers.authentik.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
-      traefik.http.routers.authentik.service: "authentik"
+      traefik.http.routers.ths-authentik.rule: "Host(`${AUTHENTIK_DOMAIN}`)"
+      traefik.http.routers.ths-authentik.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
+      traefik.http.routers.ths-authentik.tls: "true"
+      traefik.http.routers.ths-authentik.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
+      traefik.http.routers.ths-authentik.service: "ths-authentik"
 
-      # Middleware forwardAuth (para proteger otros servicios)
-      traefik.http.middlewares.authentik.forwardauth.address: "http://authentik-server:${AUTHENTIK_HTTP_PORT}/outpost.goauthentik.io/auth/traefik"
-      traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: "true"
-      traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: "X-Authentik-Username,X-Authentik-Groups,X-Authentik-Email,X-Authentik-Uid,X-Authentik-Jwt"
+      # Middleware forwardAuth (para proteger otros servicios) -> usar ths-authentik@docker en tus stacks THS
+      traefik.http.middlewares.ths-authentik.forwardauth.address: "http://ths-authentik-server:${AUTHENTIK_HTTP_PORT}/outpost.goauthentik.io/auth/traefik"
+      traefik.http.middlewares.ths-authentik.forwardauth.trustForwardHeader: "true"
+      traefik.http.middlewares.ths-authentik.forwardauth.authResponseHeaders: "X-Authentik-Username,X-Authentik-Groups,X-Authentik-Email,X-Authentik-Uid,X-Authentik-Jwt"
 
-      # Callback del outpost en gitea hacia Authentik (ya lo tenías)
-      traefik.http.routers.authentik-outpost-gitea.rule: "Host(`${GITEA_DOMAIN}`) && PathPrefix(`/outpost.goauthentik.io/`)"
-      traefik.http.routers.authentik-outpost-gitea.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
-      traefik.http.routers.authentik-outpost-gitea.tls: "true"
-      traefik.http.routers.authentik-outpost-gitea.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
-      traefik.http.routers.authentik-outpost-gitea.service: "authentik"
-      traefik.http.routers.authentik-outpost-gitea.priority: "50"
+      # OUTPOST genérico para TODO el dominio THS (subdominios + apex + www)
+      # ✅ Sin comas dentro de Host()
+      traefik.http.routers.ths-authentik-outpost.rule: "(HostRegexp(`{subdomain:[a-z0-9-]+}.thehomelesssherlock.com`) || Host(`thehomelesssherlock.com`) || Host(`www.thehomelesssherlock.com`)) && PathPrefix(`/outpost.goauthentik.io/`)"
+      traefik.http.routers.ths-authentik-outpost.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
+      traefik.http.routers.ths-authentik-outpost.tls: "true"
+      traefik.http.routers.ths-authentik-outpost.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
+      traefik.http.routers.ths-authentik-outpost.service: "ths-authentik"
+      traefik.http.routers.ths-authentik-outpost.priority: "1000"
 
-      # ✅ CORRECCIÓN: Callback del outpost para tu WEB (www.thehomelesssherlock.com)
-      traefik.http.routers.authentik-outpost-ths.rule: "Host(`${THS_DOMAIN}`) && PathPrefix(`/outpost.goauthentik.io/`)"
-      traefik.http.routers.authentik-outpost-ths.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
-      traefik.http.routers.authentik-outpost-ths.tls: "true"
-      traefik.http.routers.authentik-outpost-ths.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
-      traefik.http.routers.authentik-outpost-ths.service: "authentik"
-      traefik.http.routers.authentik-outpost-ths.priority: "250"
-
-  authentik-worker:
+  ths-authentik-worker:
     image: ${AUTHENTIK_IMAGE}
-    container_name: authentik-worker
+    container_name: ths-authentik-worker
     restart: unless-stopped
     command: ["worker"]
     environment:
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
 
-      AUTHENTIK_POSTGRESQL__HOST: ${AUTHENTIK_DB_HOST}
+      # OJO: forzamos hosts internos igual que en server
+      AUTHENTIK_POSTGRESQL__HOST: ths-authentik-postgres
       AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_DB_USER}
       AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_DB_NAME}
       AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
 
-      AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS_HOST}
+      AUTHENTIK_REDIS__HOST: ths-authentik-redis
 
     depends_on:
-      - authentik-postgres
-      - authentik-redis
+      - ths-authentik-postgres
+      - ths-authentik-redis
 
     networks:
-      - authentik_internal
+      - ths_authentik_internal
 
 networks:
   proxy:
     external: true
-  authentik_internal:
+  ths_authentik_internal:
     driver: bridge
+