version: "3.8"

services:
  # PostgreSQL database for Authentik
  authentik-db:
    image: postgres:15-alpine
    container_name: authentik-db
    restart: unless-stopped
    environment:
      POSTGRES_USER: authentik
      POSTGRES_PASSWORD: authentik-db-password
      POSTGRES_DB: authentik
    volumes:
      - authentik-db-data:/var/lib/postgresql/data
    networks:
      - authentik-net
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U authentik"]
      interval: 10s
      timeout: 5s
      retries: 5

  # Redis cache for Authentik
  authentik-redis:
    image: redis:7-alpine
    container_name: authentik-redis
    restart: unless-stopped
    command: redis-server --save 60 1 --loglevel warning
    volumes:
      - authentik-redis-data:/data
    networks:
      - authentik-net
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5

  # Authentik Server
  authentik-server:
    image: ghcr.io/goauthentik/server:2024.2
    container_name: authentik-server
    restart: unless-stopped
    command: server
    environment:
      # Core Settings
      AUTHENTIK_SECRET_KEY: "change-me-to-a-random-50-char-string-for-production"
      AUTHENTIK_ERROR_REPORTING__ENABLED: false
      
      # Database
      AUTHENTIK_POSTGRESQL__HOST: authentik-db
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: authentik-db-password
      
      # Redis
      AUTHENTIK_REDIS__HOST: authentik-redis
      
      # Email (optional - for testing, uses console backend)
      AUTHENTIK_EMAIL__HOST: localhost
      AUTHENTIK_EMAIL__PORT: 25
      AUTHENTIK_EMAIL__USE_TLS: false
      AUTHENTIK_EMAIL__USE_SSL: false
      AUTHENTIK_EMAIL__TIMEOUT: 10
      AUTHENTIK_EMAIL__FROM: authentik@localhost
      
      # Log Level
      AUTHENTIK_LOG_LEVEL: info
      
      # Disable analytics
      AUTHENTIK_DISABLE_UPDATE_CHECK: true
      AUTHENTIK_DISABLE_STARTUP_ANALYTICS: true
      
      # Default admin user (only created on first run)
      AUTHENTIK_BOOTSTRAP_PASSWORD: admin-password
      AUTHENTIK_BOOTSTRAP_TOKEN: initial-admin-token
      AUTHENTIK_BOOTSTRAP_EMAIL: admin@example.com
    volumes:
      - authentik-media:/media
      - authentik-templates:/templates
    ports:
      - "9000:9000"  # HTTP
      - "9443:9443"  # HTTPS (if configured)
    networks:
      - authentik-net
      - gitea-mirror-net
    depends_on:
      authentik-db:
        condition: service_healthy
      authentik-redis:
        condition: service_healthy

  # Authentik Worker (background tasks)
  authentik-worker:
    image: ghcr.io/goauthentik/server:2024.2
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    environment:
      # Same environment as server
      AUTHENTIK_SECRET_KEY: "change-me-to-a-random-50-char-string-for-production"
      AUTHENTIK_ERROR_REPORTING__ENABLED: false
      AUTHENTIK_POSTGRESQL__HOST: authentik-db
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: authentik-db-password
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_EMAIL__HOST: localhost
      AUTHENTIK_EMAIL__PORT: 25
      AUTHENTIK_EMAIL__USE_TLS: false
      AUTHENTIK_EMAIL__USE_SSL: false
      AUTHENTIK_EMAIL__TIMEOUT: 10
      AUTHENTIK_EMAIL__FROM: authentik@localhost
      AUTHENTIK_LOG_LEVEL: info
      AUTHENTIK_DISABLE_UPDATE_CHECK: true
      AUTHENTIK_DISABLE_STARTUP_ANALYTICS: true
    volumes:
      - authentik-media:/media
      - authentik-templates:/templates
    networks:
      - authentik-net
    depends_on:
      authentik-db:
        condition: service_healthy
      authentik-redis:
        condition: service_healthy

  # Gitea Mirror Application (uncomment to run together)
  # gitea-mirror:
  #   build: .
  #   # OR use pre-built image:
  #   # image: ghcr.io/raylabshq/gitea-mirror:latest
  #   container_name: gitea-mirror
  #   restart: unless-stopped
  #   environment:
  #     # Core Settings
  #     BETTER_AUTH_URL: http://localhost:4321
  #     BETTER_AUTH_TRUSTED_ORIGINS: http://localhost:4321,http://localhost:9000
  #     BETTER_AUTH_SECRET: "your-32-character-secret-key-here"
  #     
  #     # GitHub Settings (configure as needed)
  #     GITHUB_USERNAME: ${GITHUB_USERNAME}
  #     GITHUB_TOKEN: ${GITHUB_TOKEN}
  #     
  #     # Gitea Settings (configure as needed)  
  #     GITEA_URL: ${GITEA_URL}
  #     GITEA_USERNAME: ${GITEA_USERNAME}
  #     GITEA_TOKEN: ${GITEA_TOKEN}
  #   volumes:
  #     - ./data:/app/data
  #   ports:
  #     - "4321:4321"
  #   networks:
  #     - gitea-mirror-net
  #   depends_on:
  #     - authentik-server

volumes:
  authentik-db-data:
    name: authentik-db-data
  authentik-redis-data:
    name: authentik-redis-data
  authentik-media:
    name: authentik-media
  authentik-templates:
    name: authentik-templates

networks:
  authentik-net:
    name: authentik-net
    driver: bridge
  gitea-mirror-net:
    name: gitea-mirror-net
    driver: bridge