Initial Authentik setup with docker-compose

- Docker Compose configuration with PostgreSQL, Redis, server and worker
- Authentik version 2025.8.4 (latest stable)
- Gitea Actions workflow for automated deployment
- Environment configuration template
- Directory structure for media, templates and certificates

.gitea/workflows/deploy.yml

@@ -0,0 +1,53 @@
+name: deploy-authentik
+
+on:
+  push:
+    branches: [ main ]
+
+jobs:
+  #───────────────── deploy ─────────────────
+  deploy:
+    runs-on: docker
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Ensure external docker network exists
+        run: |
+          docker network inspect principal >/dev/null 2>&1 || docker network create principal
+
+      - name: Stop existing Authentik stack
+        run: docker compose -f docker-compose.yml --project-name authentik down || true
+
+      - name: Pull latest images
+        run: docker compose -f docker-compose.yml pull
+
+      - name: Start Authentik stack
+        run: docker compose -f docker-compose.yml --project-name authentik up -d --remove-orphans
+
+      - name: Wait for services to be healthy
+        run: |
+          echo "Waiting for PostgreSQL..."
+          timeout 60 bash -c 'until docker compose -f docker-compose.yml --project-name authentik exec -T postgresql pg_isready -U authentik; do sleep 2; done' || echo "PostgreSQL health check timed out"
+
+          echo "Waiting for Redis..."
+          timeout 60 bash -c 'until docker compose -f docker-compose.yml --project-name authentik exec -T redis redis-cli ping | grep PONG; do sleep 2; done' || echo "Redis health check timed out"
+
+      - name: Show service status
+        run: docker compose -f docker-compose.yml --project-name authentik ps
+
+      - name: Show recent logs
+        run: docker compose -f docker-compose.yml --project-name authentik logs --tail=50
+
+      - name: Inspect published ports
+        run: |
+          echo "=== Server container ports ==="
+          CID=$(docker compose -f docker-compose.yml --project-name authentik ps -q server)
+          echo "Container: $CID"
+          docker inspect "$CID" --format '{{json .NetworkSettings.Ports}}' || true
+          docker port "$CID" || true
+
+      - name: Test HTTP endpoint
+        run: |
+          echo "Testing HTTP endpoint..."
+          sleep 10
+          curl -f http://localhost:9000 || echo "HTTP endpoint not ready yet"

.gitignore

@@ -0,0 +1,22 @@
+# Environment variables
+.env
+
+# Authentik data directories
+media/
+certs/
+
+# Docker volumes data (if using local binding)
+postgresql-data/
+redis-data/
+
+# Logs
+*.log
+
+# Temporary files
+*.tmp
+*.bak
+*~
+
+# OS files
+.DS_Store
+Thumbs.db

docker-compose.yml

@@ -0,0 +1,87 @@
+services:
+  postgresql:
+    env_file:
+    - .env
+    environment:
+      POSTGRES_DB: ${PG_DB:-authentik}
+      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
+      POSTGRES_USER: ${PG_USER:-authentik}
+    healthcheck:
+      interval: 30s
+      retries: 5
+      start_period: 20s
+      test:
+      - CMD-SHELL
+      - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
+      timeout: 5s
+    image: docker.io/library/postgres:16-alpine
+    restart: unless-stopped
+    volumes:
+    - database:/var/lib/postgresql/data
+  redis:
+    command: --save 60 1 --loglevel warning
+    healthcheck:
+      interval: 30s
+      retries: 5
+      start_period: 20s
+      test:
+      - CMD-SHELL
+      - redis-cli ping | grep PONG
+      timeout: 3s
+    image: docker.io/library/redis:alpine
+    restart: unless-stopped
+    volumes:
+    - redis:/data
+  server:
+    command: server
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    env_file:
+    - .env
+    environment:
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.4}
+    ports:
+    - ${COMPOSE_PORT_HTTP:-9000}:9000
+    - ${COMPOSE_PORT_HTTPS:-9443}:9443
+    restart: unless-stopped
+    volumes:
+    - ./media:/media
+    - ./custom-templates:/templates
+  worker:
+    command: worker
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    env_file:
+    - .env
+    environment:
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.4}
+    restart: unless-stopped
+    user: root
+    volumes:
+    - /var/run/docker.sock:/var/run/docker.sock
+    - ./media:/media
+    - ./certs:/certs
+    - ./custom-templates:/templates
+volumes:
+  database:
+    driver: local
+  redis:
+    driver: local