name: nodedc-platform-staging

services:
  reverse-proxy:
    image: ${PLATFORM_PROXY_IMAGE:-caddy:2-alpine}
    restart: unless-stopped
    env_file:
      - path: ${NODEDC_STAGING_ENV_FILE:-.env.staging}
        required: true
    ports:
      - "${PLATFORM_HTTP_PORT:-80}:80"
      - "${PLATFORM_HTTPS_PORT:-443}:443"
    volumes:
      - ./reverse-proxy/Caddyfile.staging:/etc/caddy/Caddyfile:ro
      - caddy-data:/data
      - caddy-config:/config
    depends_on:
      authentik-server:
        condition: service_started
    networks:
      - edge
      - identity

  postgresql-authentik:
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
    env_file:
      - path: ${NODEDC_STAGING_ENV_FILE:-.env.staging}
        required: true
    environment:
      POSTGRES_DB: ${PG_DB:-authentik}
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      interval: 30s
      timeout: 5s
      retries: 5
      start_period: 20s
    volumes:
      - authentik-database:/var/lib/postgresql/data
    networks:
      - identity

  authentik-server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.2}
    command: server
    restart: unless-stopped
    env_file:
      - path: ${NODEDC_STAGING_ENV_FILE:-.env.staging}
        required: true
    environment:
      AUTHENTIK_POSTGRESQL__HOST: postgresql-authentik
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?database password required}
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_ERROR_REPORTING__ENABLED: ${AUTHENTIK_ERROR_REPORTING__ENABLED:-false}
      AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: ${AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS:?trusted proxy CIDR required}
    depends_on:
      postgresql-authentik:
        condition: service_healthy
    expose:
      - "9000"
      - "9443"
    shm_size: 512mb
    volumes:
      - authentik-data:/data
      - ./authentik/custom-templates:/templates:ro
    networks:
      - identity

  authentik-worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.2}
    command: worker
    restart: unless-stopped
    env_file:
      - path: ${NODEDC_STAGING_ENV_FILE:-.env.staging}
        required: true
    environment:
      AUTHENTIK_POSTGRESQL__HOST: postgresql-authentik
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:?database password required}
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_ERROR_REPORTING__ENABLED: ${AUTHENTIK_ERROR_REPORTING__ENABLED:-false}
    depends_on:
      postgresql-authentik:
        condition: service_healthy
    shm_size: 512mb
    volumes:
      - authentik-data:/data
      - authentik-certs:/certs
      - ./authentik/custom-templates:/templates:ro
    networks:
      - identity

networks:
  edge:
  identity:
    internal: true

volumes:
  authentik-database:
  authentik-data:
  authentik-certs:
  caddy-data:
  caddy-config: