---

services:
  geoipupdate:
    image: "maxmindinc/geoipupdate:latest"
    volumes:
      - "geoip:/usr/share/GeoIP"
    environment:
      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City GeoLite2-ASN"
      GEOIPUPDATE_FREQUENCY: "8"
      GEOIPUPDATE_ACCOUNT_ID: "${GEOIPUPDATE_ACCOUNT_ID:?MaxMind GeoIP account ID required}"
      GEOIPUPDATE_LICENSE_KEY: "${GEOIPUPDATE_LICENSE_KEY:?MaxMind GeoIP license key required}"

  postgresql:
    image: docker.io/library/postgres:${POSTGRES_TAG:?POSTGRES_TAG is not configured}
    volumes:
      - database:/var/lib/postgresql/data
    networks:
      - backend

  redis:
    image: docker.io/library/redis:${REDIS_TAG:?REDIS_TAG is not configured}
    networks:
      - backend

  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:?AUTHENTIK_TAG is not configured}
    environment:
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?PG_PASS is required. - Password for authentik's postgresql database}
    ports: []
    volumes:
      - media:/media
      - ./data/authentik/custom-templates:/templates
      - geoip:/geoip
    networks:
      - backend
      - dokploy-network
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=dokploy-network"

      - "traefik.http.services.sso-server.loadbalancer.server.port=9443" # set port the container listenes to
      - "traefik.http.services.sso-server.loadbalancer.server.scheme=https"

      - "traefik.http.routers.sso-server-web.rule=Host(`${PUBLIC_DOMAIN}`)"
      - "traefik.http.routers.sso-server-web.entrypoints=web"
      - "traefik.http.routers.sso-server-web.service=sso-server"
      - "traefik.http.routers.sso-server-web.middlewares=redirect-to-https@file"

      - "traefik.http.routers.sso-server-websecure.entrypoints=websecure"
      - "traefik.http.routers.sso-server-websecure.rule=Host(`${PUBLIC_DOMAIN}`)" # change hostname!
      - "traefik.http.routers.sso-server-websecure.tls=true"
      - "traefik.http.routers.sso-server-websecure.tls.certresolver=hetzner"
      - "traefik.http.routers.sso-server-websecure.tls.domains[0].main=${TLS_DOMAIN}"
      - "traefik.http.routers.sso-server-websecure.middlewares=secHeaders@file, hsts-header@file"
      - "traefik.http.routers.sso-server-websecure.service=sso-server"

  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:?AUTHENTIK_TAG is not configured}
    environment:
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?PG_PASS is required. - Password for authentik's postgresql database}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - media:/media
      - certs:/certs
      - ./data/authentik/custom-templates:/templates
      - geoip:/geoip
    networks:
      - backend

volumes:
  geoip:
    driver: local
  media:
    driver: local
  certs:
    driver: local

networks:
  backend:
  dokploy-network:
    external: true