# VM 2: Autenticacion y Administracion
# IP Privada: 10.0.0.20
# Puertos Publicos: 9000 (Authentik via Nginx proxy from vm-web)
# Tecnologia: Authentik (OIDC/OAuth2 provider)
# Servicios: Authentik Server, Authentik Worker, PostgreSQL, Redis

services:
  authentik-postgres:
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
    container_name: auth-postgres
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - authentik_postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik}
      POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
      POSTGRES_DB: ${AUTHENTIK_POSTGRES_DB:-authentik}
    networks:
      - auth-internal

  authentik-redis:
    image: docker.io/library/redis:alpine
    restart: unless-stopped
    container_name: auth-redis
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - authentik_redis_data:/data
    networks:
      - auth-internal

  authentik-server:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    container_name: auth-server
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRES_DB:-authentik}
      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik}
      # Authentik listen on all interfaces so it's reachable from other VMs
      AUTHENTIK_LISTEN__HTTP: 0.0.0.0:9000
      AUTHENTIK_LISTEN__HTTPS: 0.0.0.0:9443
    ports:
      - "10.0.0.20:9000:9000"
      - "10.0.0.20:9443:9443"
    volumes:
      - authentik_media:/media
      - authentik_custom_templates:/templates
    depends_on:
      - authentik-postgres
      - authentik-redis
    networks:
      - auth-internal

  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    container_name: auth-worker
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRES_DB:-authentik}
      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik}
    user: root
    volumes:
      - authentik_media:/media
      - authentik_custom_templates:/templates
      - /var/run/docker.sock:/var/run/docker.sock
    depends_on:
      - authentik-postgres
      - authentik-redis
    networks:
      - auth-internal

volumes:
  authentik_postgres_data:
  authentik_redis_data:
  authentik_media:
  authentik_custom_templates:

networks:
  auth-internal:
    driver: bridge