feat(authentik): add Docker Compose configuration for Authentik services

nodes/heimdall/authentik/compose.yaml

@@ -0,0 +1,128 @@
+###############################################################
+# Networks
+###############################################################
+networks:
+  proxy-net:
+    name: proxy-net
+    external: true
+
+###############################################################
+# Services
+###############################################################
+services:
+  postgresql:
+    image: docker.io/library/postgres:16-alpine
+    container_name: authentik_postgres
+    # mem_limit: 2048m
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - /mnt/appdata/authentik/database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
+      POSTGRES_USER: ${PG_USER:-authentik}
+      POSTGRES_DB: ${PG_DB:-authentik}
+    env_file:
+      - .env
+    networks:
+      - proxy-net
+
+  redis:
+    image: docker.io/library/redis:alpine
+    mem_limit: 2048m
+    container_name: authentik_redis
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - /mnt/appdata/authentik/redis:/data
+    networks:
+      - proxy-net
+
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:2026.2.2
+    restart: unless-stopped
+    mem_limit: 2048m
+    container_name: authentik_server
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    volumes:
+      - /mnt/appdata/authentik/media:/media
+      - /mnt/appdata/authentik/custom-templates:/templates
+      - /mnt/appdata/authentik/icons:/web/dist/assets/icons
+      - /mnt/appdata/authentik/media/public/logos/sitelogo.png:/web/dist/assets/icons/icon_left_brand.png
+      - /mnt/appdata/authentik/media/public/logos/favicon.png:/web/dist/assets/icons/icon.png
+    env_file:
+      - .env
+    ports:
+      - "${COMPOSE_PORT_HTTP:-9000}:9000"
+      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - proxy-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.authentik.entrypoints=websecure"
+      - "traefik.http.routers.authentik.rule=Host(`sso.castaldifamily.com`)"
+      - "traefik.http.routers.authentik.middlewares=authentik-https-redirect,authentik-auth"
+      - "traefik.http.routers.authentik.tls=true"
+      - "traefik.http.routers.authentik.tls.certresolver=cloudflare"
+      - "traefik.http.routers.authentik.tls.domains[0].main=castaldifamily.com"
+      - "traefik.http.routers.authentik.tls.domains[0].sans=*.castaldifamily.com"
+      - "traefik.http.services.authentik.loadbalancer.server.port=9000" # Update this to match the internal Authentik port
+      - "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.authentik-auth.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.authentik-auth.headers.SSLProxyHeaders.X-Forwarded-Proto=https"
+
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:2026.2.2
+    restart: unless-stopped
+    mem_limit: 2048m
+    container_name: authentik_worker
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /mnt/appdata/authentik/media:/media
+      - /mnt/appdata/authentik/certs:/certs
+      - /mnt/appdata/authentik/custom-templates:/templates
+    env_file:
+      - .env
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - proxy-net