services:
  ths-authentik-postgres:
    image: ${AUTHENTIK_POSTGRES_IMAGE}
    container_name: ths-authentik-postgres
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: ${AUTHENTIK_DB_PASSWORD}
      POSTGRES_USER: ${AUTHENTIK_DB_USER}
      POSTGRES_DB: ${AUTHENTIK_DB_NAME}
    volumes:
      - /opt/authentik/postgres:/var/lib/postgresql/data:Z
    networks:
      - ths_authentik_internal

  ths-authentik-redis:
    image: ${AUTHENTIK_REDIS_IMAGE}
    container_name: ths-authentik-redis
    restart: unless-stopped
    command: ["redis-server", "--save", "60", "1", "--loglevel", "warning"]
    volumes:
      - /opt/authentik/redis:/data:Z
    networks:
      - ths_authentik_internal

  ths-authentik-server:
    image: ${AUTHENTIK_IMAGE}
    container_name: ths-authentik-server
    pull_policy: always
    restart: unless-stopped
    command: ["server"]
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}

      # OJO: forzamos hosts internos para evitar colisiones y depender del .env
      AUTHENTIK_POSTGRESQL__HOST: ths-authentik-postgres
      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_DB_USER}
      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_DB_NAME}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}

      AUTHENTIK_REDIS__HOST: ths-authentik-redis

      AUTHENTIK_BOOTSTRAP_EMAIL: ${AUTHENTIK_BOOTSTRAP_EMAIL}
      AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
      AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN}

    depends_on:
      - ths-authentik-postgres
      - ths-authentik-redis

    expose:
      - "${AUTHENTIK_HTTP_PORT}"

    networks:
      - ths_authentik_internal
      - proxy

    labels:
      # Service Authentik (panel + endpoints)
      traefik.http.services.ths-authentik.loadbalancer.server.port: "${AUTHENTIK_HTTP_PORT}"

      # Middleware forwardAuth (para proteger otros servicios) -> usar ths-authentik@docker en tus stacks THS
      traefik.http.middlewares.ths-authentik.forwardauth.address: "http://ths-authentik-server:${AUTHENTIK_HTTP_PORT}/outpost.goauthentik.io/auth/traefik"
      traefik.http.middlewares.ths-authentik.forwardauth.trustForwardHeader: "true"
      traefik.http.middlewares.ths-authentik.forwardauth.authResponseHeaders: "X-Authentik-Username,X-Authentik-Groups,X-Authentik-Email,X-Authentik-Uid,X-Authentik-Jwt"

  ths-authentik-worker:
    image: ${AUTHENTIK_IMAGE}
    container_name: ths-authentik-worker
    restart: unless-stopped
    command: ["worker"]
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}

      # OJO: forzamos hosts internos igual que en server
      AUTHENTIK_POSTGRESQL__HOST: ths-authentik-postgres
      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_DB_USER}
      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_DB_NAME}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}

      AUTHENTIK_REDIS__HOST: ths-authentik-redis

    depends_on:
      - ths-authentik-postgres
      - ths-authentik-redis

    networks:
      - ths_authentik_internal

networks:
  proxy:
    external: true
  ths_authentik_internal:
    driver: bridge