services:
  authentik-ldap:
    image: ghcr.io/goauthentik/ldap:2025.2.4
    container_name: authentik-ldap
    restart: unless-stopped
    environment:
      AUTHENTIK_HOST: https://auth.kitestacks.com
      AUTHENTIK_INSECURE: "false"
      # Token from Authentik outpost "osTicket LDAP Outpost"
      # Regenerate via: Authentik admin → Outposts → osTicket LDAP Outpost → token
      AUTHENTIK_TOKEN: REDACTED
    networks:
      - kitestacks
      - osticket_default

  # socat proxy: bridges standard LDAP port 389 → outpost port 3389
  # Required because Net_LDAP2 (osTicket's LDAP library) always uses port 389
  authentik-ldap-proxy:
    image: alpine/socat
    container_name: authentik-ldap-proxy
    restart: unless-stopped
    command: TCP-LISTEN:389,fork,reuseaddr TCP:authentik-ldap:3389
    depends_on:
      - authentik-ldap
    networks:
      - osticket_default

networks:
  kitestacks:
    external: true
  osticket_default:
    external: true