name: nodedc-platform

services:
  reverse-proxy:
    image: ${PLATFORM_PROXY_IMAGE:-nodedc/plane-proxy:ru}
    restart: unless-stopped
    env_file:
      - path: .env
        required: false
    ports:
      - "${PLATFORM_HTTP_PORT:-80}:80"
    volumes:
      - ./reverse-proxy/Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy-data:/data
      - caddy-config:/config
    depends_on:
      authentik-server:
        condition: service_started
    extra_hosts:
      - "host.docker.internal:host-gateway"

  postgresql-authentik:
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
    env_file:
      - path: .env
        required: false
    environment:
      POSTGRES_DB: ${PG_DB:-authentik}
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      interval: 30s
      timeout: 5s
      retries: 5
      start_period: 20s
    volumes:
      - authentik-database:/var/lib/postgresql/data

  authentik-server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.2}
    command: server
    restart: unless-stopped
    env_file:
      - path: .env
        required: false
    environment:
      AUTHENTIK_POSTGRESQL__HOST: postgresql-authentik
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?database password required}
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: ${AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS:-127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,::1/128}
    depends_on:
      postgresql-authentik:
        condition: service_healthy
    expose:
      - "9000"
      - "9443"
    shm_size: 512mb
    volumes:
      - authentik-data:/data
      - ./authentik/custom-templates:/templates

  authentik-worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.2}
    command: worker
    restart: unless-stopped
    user: root
    env_file:
      - path: .env
        required: false
    environment:
      AUTHENTIK_POSTGRESQL__HOST: postgresql-authentik
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?database password required}
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
    depends_on:
      postgresql-authentik:
        condition: service_healthy
    shm_size: 512mb
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - authentik-data:/data
      - authentik-certs:/certs
      - ./authentik/custom-templates:/templates

volumes:
  authentik-database:
  authentik-data:
  authentik-certs:
  caddy-data:
  caddy-config: