infrastructure/playbooks/roles/authentik/vars/main.yml

---
authentik_svc:
  domain: "{{ all_services | service_get_domain(role_name) }}"
  port: 9000
  caddy_proxy_extra: "header_up X-Forwarded-Host {http.request.header.X-Forward-Auth-Host}"
  image_tag: 2025.2
  db:
    host: "{{ postgres.host }}"
    user: "{{ opentofu.postgresql_data.authentik.user }}"
    pass: "{{ opentofu.postgresql_data.authentik.pass }}"
    database: "{{ opentofu.postgresql_data.authentik.database }}"

authentik_env:
  AUTHENTIK_SECRET_KEY: "{{ vault_authentik.secret_key }}"

  AUTHENTIK_EMAIL__HOST: "{{ mailer.host }}"
  AUTHENTIK_EMAIL__PORT: "{{ mailer.port }}"
  AUTHENTIK_EMAIL__USERNAME: "{{ opentofu.mailcow_data.authentik.address }}"
  AUTHENTIK_EMAIL__PASSWORD: "{{ opentofu.mailcow_data.authentik.password }}"
  AUTHENTIK_EMAIL__USE_TLS: true
  AUTHENTIK_EMAIL__USE_SSL: false
  AUTHENTIK_EMAIL__TIMEOUT: 10
  AUTHENTIK_EMAIL__FROM: "{{ opentofu.mailcow_data.authentik.address }}"

  AUTHENTIK_AVATARS: none

  AUTHENTIK_REDIS__HOST: redis

  AUTHENTIK_POSTGRESQL__HOST: "{{ svc.db.host }}"
  AUTHENTIK_POSTGRESQL__NAME: "{{ svc.db.database }}"
  AUTHENTIK_POSTGRESQL__USER: "{{ svc.db.user }}"
  AUTHENTIK_POSTGRESQL__PASSWORD: "{{ svc.db.pass }}"

authentik_compose:
  watchtower: update
  image: ghcr.io/goauthentik/server:{{ svc.image_tag }}
  file:
    services:
      app:
        command: server
        depends_on:
          - redis
      worker:
        image: ghcr.io/goauthentik/server:{{ svc.image_tag }}
        restart: always
        command: worker
        user: root
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
          - ./certs:/certs
        env_file:
          - service.env
        depends_on:
          - redis
        networks:
          default:
      redis:
        image: redis:alpine
        restart: always
        networks:
          default: