[Unit]
Description=Authentik in Docker

[Service]
Type=exec
#User=authentik-docker
WorkingDirectory={{ docker_compose_config_dir }}/authentik
ExecStart=docker compose up postgresql redis server worker 
Restart=on-failure
RestartSec=30s

# Optional hardening to improve security
#ReadWritePaths={{ docker_volumes_dir }}/ /tmp/ {{ docker_compose_config_dir }}/
#NoNewPrivileges=yes
#MemoryDenyWriteExecute=true
#PrivateDevices=yes
#PrivateTmp=yes
#ProtectHome=yes
#ProtectSystem=strict
#ProtectControlGroups=true
#RestrictSUIDSGID=true
#RestrictRealtime=true
#LockPersonality=true
#ProtectKernelLogs=true
#ProtectKernelTunables=true
#ProtectHostname=true
#ProtectKernelModules=true
#PrivateUsers=true
#ProtectClock=true
#SystemCallArchitectures=native
#SystemCallErrorNumber=EPERM
#SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target