From 3ad01413a865a15184f07c39080532c00fc7dc74 Mon Sep 17 00:00:00 2001
From: Teeko7 <bigamehunter12@gmail.com>
Date: Sat, 14 Feb 2026 19:45:07 -0500
Subject: [PATCH 1/2] Update Authentik to more closely match the provided
 docker-compose.yml (https://docs.goauthentik.io/docker-compose.yml) while
 maintaining the hardening changes in the previous setup. Also removed redis
 as it has been removed from Authentik
 (https://goauthentik.io/blog/2025-11-13-we-removed-redis/)

---
 authentik/docker-compose.yml | 70 ++++++++++++------------------------
 1 file changed, 23 insertions(+), 47 deletions(-)

diff --git a/authentik/docker-compose.yml b/authentik/docker-compose.yml
index cc32226..ca98cec 100644
--- a/authentik/docker-compose.yml
+++ b/authentik/docker-compose.yml
@@ -2,75 +2,54 @@ services:
   postgresql:
     image: docker.io/library/postgres:16-alpine
     restart: unless-stopped
-    user: "1000:1000"
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
-      start_period: 20s
-      interval: 30s
-      retries: 5
-      timeout: 5s
-    volumes:
-      - ${PWD}/database:/var/lib/postgresql/data
+    env_file:
+      - .env
     environment:
+      POSTGRES_DB: ${PG_DB:-authentik}
       POSTGRES_PASSWORD: ${PG_PASS:?database password required}
       POSTGRES_USER: ${PG_USER:-authentik}
-      POSTGRES_DB: ${PG_DB:-authentik}
-    env_file:
-      - .env
-    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
-    networks:
-      - your-network # Change Value
-  redis:
-    image: docker.io/library/redis:alpine
-    command: --save 60 1 --loglevel warning
-    restart: unless-stopped
-    user: "1000:1000"
     healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
-      start_period: 20s
       interval: 30s
       retries: 5
-      timeout: 3s
+      start_period: 20s
+      test:
+        - CMD-SHELL
+        - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
+      timeout: 5s
     volumes:
-      - ${PWD}/redis:/data
+      - ./postgresql:/var/lib/postgresql/data
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
-    networks:
-      - your-network # Change Value
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.12.4}
+    depends_on:
+      postgresql:
+        condition: service_healthy
     restart: unless-stopped
     command: server
     environment:
-      AUTHENTIK_REDIS__HOST: redis
       AUTHENTIK_POSTGRESQL__HOST: postgresql
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
       AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
     volumes:
-      - ${PWD}/media:/media
-      - ${PWD}/custom-templates:/templates
+      - ./data:/data
+      - ./custom-templates:/templates
     env_file:
       - .env
     ports:
       - 127.0.0.1:${COMPOSE_PORT_HTTP:-9000}:9000 #Localhost only with reverse-proxy
       - 127.0.0.1:${COMPOSE_PORT_HTTPS:-9443}:9443 #Localhost only with reverse-proxy
-    depends_on:
-      postgresql:
-        condition: service_healthy
-      redis:
-        condition: service_healthy
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
     networks:
-      - your-network # Change Value
+      - your-network
   worker:
     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.1}
     restart: unless-stopped
     command: worker
     environment:
-      AUTHENTIK_REDIS__HOST: redis
       AUTHENTIK_POSTGRESQL__HOST: postgresql
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
@@ -83,20 +62,17 @@ services:
     # (1000:1000 by default)
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-      - ${PWD}/media:/media
-      - ${PWD}/certs:/certs
-      - ${PWD}/custom-templates:/templates
+      - ./data:/data
+      - ./certs:/certs
+      - ./custom-templates:/templates
     env_file:
       - .env
     depends_on:
       postgresql:
         condition: service_healthy
-      redis:
-        condition: service_healthy
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
-    networks:
-      - your-network # Change Value
 networks:
-    your-network: # Change Value
-      external: true
\ No newline at end of file
+  your-network:
+    external: true
+    name: your-network

From 2979b1ff51fac485a58e94499e836fd4a89866b4 Mon Sep 17 00:00:00 2001
From: Teeko7 <bigamehunter12@gmail.com>
Date: Sat, 14 Feb 2026 19:49:17 -0500
Subject: [PATCH 2/2] readded user on postgresql container

---
 authentik/docker-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/authentik/docker-compose.yml b/authentik/docker-compose.yml
index ca98cec..2b9c898 100644
--- a/authentik/docker-compose.yml
+++ b/authentik/docker-compose.yml
@@ -2,6 +2,7 @@ services:
   postgresql:
     image: docker.io/library/postgres:16-alpine
     restart: unless-stopped
+    user: "1000:1000"
     env_file:
       - .env
     environment: