# Zitadel SSO # Based on official zitadel/zitadel templates (docker-compose.yml + docker-compose.mode-external-tls.yml) # Modifications: # - Traefik/proxy service removed (using Caddy) # - postgres service removed (using external PostgreSQL17 at 10.0.0.113) # - redis service removed (using external Valkey at 10.0.0.111) # - otel-collector removed # - Networks changed from internal zitadel network to proxy_net + services_net + br0 # - container_name added for Caddy upstream routing # - All traefik labels removed # - OTEL env vars removed # - External TLS overlay values merged in name: zitadel services: zitadel-api: image: ghcr.io/zitadel/zitadel:${ZITADEL_VERSION} container_name: zitadel-api restart: unless-stopped user: "0" command: start-from-init --masterkey "${ZITADEL_MASTERKEY}" environment: ZITADEL_PORT: 8080 ZITADEL_TLS_ENABLED: false ZITADEL_EXTERNALDOMAIN: ${ZITADEL_DOMAIN} ZITADEL_EXTERNALPORT: 443 ZITADEL_EXTERNALSECURE: true ZITADEL_DATABASE_POSTGRES_HOST: 10.0.0.113 ZITADEL_DATABASE_POSTGRES_PORT: 5432 ZITADEL_DATABASE_POSTGRES_DATABASE: ${POSTGRES_DB} ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: ${POSTGRES_ADMIN_USER} ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: ${POSTGRES_ADMIN_PASSWORD} ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable ZITADEL_DATABASE_POSTGRES_USER_USERNAME: ${POSTGRES_ZITADEL_USER} ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: ${POSTGRES_ZITADEL_PASSWORD} ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable ZITADEL_FIRSTINSTANCE_ORG_HUMAN_USERNAME: ${ZITADEL_ADMIN_USERNAME} ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD: ${ZITADEL_ADMIN_PASSWORD} ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED: false ZITADEL_FIRSTINSTANCE_LOGINCLIENTPATPATH: /zitadel/bootstrap/login-client.pat ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_USERNAME: login-client ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_NAME: Automatically Initialized IAM_LOGIN_CLIENT ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_PAT_EXPIRATIONDATE: "2099-01-01T00:00:00Z" ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED: true ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_BASEURI: https://${ZITADEL_DOMAIN}/ui/v2/login/ ZITADEL_OIDC_DEFAULTLOGINURLV2: https://${ZITADEL_DOMAIN}/ui/v2/login/login?authRequest= ZITADEL_OIDC_DEFAULTLOGOUTURLV2: https://${ZITADEL_DOMAIN}/ui/v2/login/logout?post_logout_redirect= ZITADEL_SAML_DEFAULTLOGINURLV2: https://${ZITADEL_DOMAIN}/ui/v2/login/login?samlRequest= ZITADEL_CACHES_CONNECTORS_REDIS_ENABLED: true ZITADEL_CACHES_CONNECTORS_REDIS_ADDR: 10.0.0.111:6379 ZITADEL_CACHES_INSTANCE_CONNECTOR: redis ZITADEL_CACHES_MILESTONES_CONNECTOR: redis ZITADEL_CACHES_ORGANIZATION_CONNECTOR: redis healthcheck: test: [CMD, /app/zitadel, ready] interval: 10s timeout: 30s retries: 12 start_period: 20s volumes: - zitadel-bootstrap:/zitadel/bootstrap:rw networks: internal: proxy_net: services_net: br0: ipv4_address: 10.0.0.11 zitadel-login: image: ghcr.io/zitadel/zitadel-login:${ZITADEL_VERSION} container_name: zitadel-login restart: unless-stopped user: "0" environment: ZITADEL_API_URL: http://zitadel-api:8080 NEXT_PUBLIC_BASE_PATH: /ui/v2/login ZITADEL_SERVICE_USER_TOKEN_FILE: /zitadel/bootstrap/login-client.pat CUSTOM_REQUEST_HEADERS: Host:${ZITADEL_DOMAIN},X-Forwarded-Proto:https healthcheck: test: - CMD - /bin/sh - -c - node /app/healthcheck.js http://localhost:3000/ui/v2/login/healthy interval: 10s timeout: 30s retries: 12 start_period: 20s volumes: - zitadel-bootstrap:/zitadel/bootstrap:ro networks: - internal - proxy_net depends_on: zitadel-api: condition: service_healthy volumes: zitadel-bootstrap: networks: internal: internal: true proxy_net: external: true services_net: external: true br0: external: true