services: ths-authentik-postgres: image: ${AUTHENTIK_POSTGRES_IMAGE} container_name: ths-authentik-postgres restart: unless-stopped environment: POSTGRES_PASSWORD: ${AUTHENTIK_DB_PASSWORD} POSTGRES_USER: ${AUTHENTIK_DB_USER} POSTGRES_DB: ${AUTHENTIK_DB_NAME} volumes: - ${AUTHENTIK_POSTGRES_PATH}:/var/lib/postgresql/data:Z networks: - ths_authentik_internal ths-authentik-redis: image: ${AUTHENTIK_REDIS_IMAGE} container_name: ths-authentik-redis restart: unless-stopped command: ["redis-server", "--save", "60", "1", "--loglevel", "warning"] volumes: - ${AUTHENTIK_REDIS_PATH}:/data:Z networks: - ths_authentik_internal ths-authentik-server: image: ${AUTHENTIK_IMAGE} container_name: ths-authentik-server restart: unless-stopped command: ["server"] environment: AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} # OJO: forzamos hosts internos para evitar colisiones y depender del .env AUTHENTIK_POSTGRESQL__HOST: ths-authentik-postgres AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_DB_USER} AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_DB_NAME} AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD} AUTHENTIK_REDIS__HOST: ths-authentik-redis AUTHENTIK_BOOTSTRAP_EMAIL: ${AUTHENTIK_BOOTSTRAP_EMAIL} AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD} AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN} depends_on: - ths-authentik-postgres - ths-authentik-redis expose: - "${AUTHENTIK_HTTP_PORT}" networks: - ths_authentik_internal - proxy labels: traefik.enable: "true" traefik.docker.network: "${TRAEFIK_DOCKER_NETWORK}" # Service Authentik (panel + endpoints) traefik.http.services.ths-authentik.loadbalancer.server.port: "${AUTHENTIK_HTTP_PORT}" # Panel Authentik (auth.thehomelesssherlock.com) traefik.http.routers.ths-authentik.rule: "Host(`${AUTHENTIK_DOMAIN}`)" traefik.http.routers.ths-authentik.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}" traefik.http.routers.ths-authentik.tls: "true" traefik.http.routers.ths-authentik.tls.certresolver: "${TRAEFIK_CERTRESOLVER}" traefik.http.routers.ths-authentik.service: "ths-authentik" # Middleware forwardAuth (para proteger otros servicios) -> usar ths-authentik@docker en tus stacks THS traefik.http.middlewares.ths-authentik.forwardauth.address: "http://ths-authentik-server:${AUTHENTIK_HTTP_PORT}/outpost.goauthentik.io/auth/traefik" traefik.http.middlewares.ths-authentik.forwardauth.trustForwardHeader: "true" traefik.http.middlewares.ths-authentik.forwardauth.authResponseHeaders: "X-Authentik-Username,X-Authentik-Groups,X-Authentik-Email,X-Authentik-Uid,X-Authentik-Jwt" # OUTPOST genérico para TODO el dominio THS (subdominios + apex + www) # ✅ Sin comas dentro de Host() traefik.http.routers.ths-authentik-outpost.rule: "(HostRegexp(`{subdomain:[a-z0-9-]+}.thehomelesssherlock.com`) || Host(`thehomelesssherlock.com`) || Host(`www.thehomelesssherlock.com`)) && PathPrefix(`/outpost.goauthentik.io/`)" traefik.http.routers.ths-authentik-outpost.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}" traefik.http.routers.ths-authentik-outpost.tls: "true" traefik.http.routers.ths-authentik-outpost.tls.certresolver: "${TRAEFIK_CERTRESOLVER}" traefik.http.routers.ths-authentik-outpost.service: "ths-authentik" traefik.http.routers.ths-authentik-outpost.priority: "1000" ths-authentik-worker: image: ${AUTHENTIK_IMAGE} container_name: ths-authentik-worker restart: unless-stopped command: ["worker"] environment: AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} # OJO: forzamos hosts internos igual que en server AUTHENTIK_POSTGRESQL__HOST: ths-authentik-postgres AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_DB_USER} AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_DB_NAME} AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD} AUTHENTIK_REDIS__HOST: ths-authentik-redis depends_on: - ths-authentik-postgres - ths-authentik-redis networks: - ths_authentik_internal networks: proxy: external: true ths_authentik_internal: driver: bridge