From 1c34e0cb07f8a219c35a76e4abf361064bb7cc58 Mon Sep 17 00:00:00 2001
From: thhsh-local <thhsh-local@noreply.git.starcat.systems>
Date: Thu, 3 Jul 2025 16:24:03 -0400
Subject: [PATCH] Set up PocketID login

---
 README.md                    |  21 +++++++++++++++------
 caddy/Caddyfile              |  10 ++++++++++
 goauthentik.png              | Bin 1390 -> 0 bytes
 pocket-id.png                | Bin 0 -> 4463 bytes
 pocket-id/.env               |  11 +++++++++++
 pocket-id/README.md          |  20 ++++++++++++++++++++
 pocket-id/docker-compose.yml |  19 +++++++++++++++++++
 7 files changed, 75 insertions(+), 6 deletions(-)
 create mode 100644 caddy/Caddyfile
 delete mode 100644 goauthentik.png
 create mode 100644 pocket-id.png
 create mode 100644 pocket-id/.env
 create mode 100644 pocket-id/README.md
 create mode 100644 pocket-id/docker-compose.yml

diff --git a/README.md b/README.md
index 9a3e9b2..a01bf95 100644
--- a/README.md
+++ b/README.md
@@ -1,22 +1,31 @@
 # auth-server
 
-The configs, tweaks, and pieces that make up the `login.starcat.systems` Authentik server.
+The configs, tweaks, and pieces that make up the `id.starcat.systems` accounts server.
+
+[![Forgejo Last Commit (main)](https://img.shields.io/gitea/last-commit/starcat-infra/auth-server/main?gitea_url=https%3A%2F%2Fgit.starcat.systems&style=flat&logo=git&logoColor=fff&logoSize=auto&label=last%20commit%20(main))](https://git.starcat.systems/starcat-infra/auth-server/src/branch/main)
 
 ## Contents
+-   `pockey-id`:
+    -   `docker-compose.yml`: the Docker Compose file that runs Pocket ID
+    -   `.env`: environment variables to configure Pocket ID
+-   `caddy`:
+    -   `Caddyfile`: the Caddy server configuration (reverse proxies Pocket ID)
 
+## More Information
+For more information on this repo, please see [Pocket ID in the handbook](https://about.starcat.systems/handbook/infrastructure/security/pocket-id/).
 
 ## Repo Mirrors
 Repo contents are automatically pushed to the following mirrors:
 
-[![Main Forge Badge](https://img.shields.io/badge/git.starcat.systems-main-4BC61D?style=flat&logo=forgejo&logoColor=fff&logoSize=auto)](https://git.starcat.systems/starcat-infra/git-server)
+[![Main Forge Badge](https://img.shields.io/badge/git.starcat.systems-main-4BC61D?style=flat&logo=forgejo&logoColor=fff&logoSize=auto)](https://git.starcat.systems/starcat-infra/auth-server)
 
-[![SourceHut Badge](https://img.shields.io/badge/sourcehut-mirror-blue?style=flat&logo=sourcehut&logoColor=fff&logoSize=auto)](https://git.sr.ht/~starcatsys/git-server)
+[![SourceHut Badge](https://img.shields.io/badge/sourcehut-mirror-blue?style=flat&logo=sourcehut&logoColor=fff&logoSize=auto)](https://git.sr.ht/~starcatsys/auth-server)
 
-[![GitLab Badge](https://img.shields.io/badge/GitLab-mirror-blue?style=flat&logo=gitlab&logoColor=fff&logoSize=auto)](https://gitlab.com/starcatsys-mirror/starcat-infra/git-server)
+[![GitLab Badge](https://img.shields.io/badge/GitLab-mirror-blue?style=flat&logo=gitlab&logoColor=fff&logoSize=auto)](https://gitlab.com/starcatsys-mirror/starcat-infra/auth-server)
 
-⚠️ **These mirrors are not routinely monitored.** All issues and pull requests should be directed to the [main forge](https://git.starcat.systems/starcat-infra/git-server).
+⚠️ **These mirrors are not routinely monitored.** All issues and pull requests should be directed to the [main forge](https://git.starcat.systems/starcat-infra/auth-server).
 
 *[Why do we mirror some repos?](https://about.starcat.systems/handbook/infrastructure/code/mirroring/)*
 
 # Licensing Note
-The changes and customizations to configurations, projects, and files in this repo are released under the MIT license. Other files, including those from Authentik, Caddy, and images/logos may be released under different licenses.
\ No newline at end of file
+The changes and customizations to configurations, projects, and files in this repo are released under the MIT license. Other files, including those from Pocket ID, Caddy, and images/logos may be released under different licenses.
\ No newline at end of file
diff --git a/caddy/Caddyfile b/caddy/Caddyfile
new file mode 100644
index 0000000..8143270
--- /dev/null
+++ b/caddy/Caddyfile
@@ -0,0 +1,10 @@
+##############################################################################
+# Caddyfile for PocketID
+# /etc/caddy/Caddyfile
+# After modifying, gracefully reload Caddy with `sudo systemctl reload caddy`
+##############################################################################
+
+# Reverse proxy for PocketID
+id.starcat.systems {
+  reverse_proxy 127.0.0.1:1411
+}
\ No newline at end of file
diff --git a/goauthentik.png b/goauthentik.png
deleted file mode 100644
index de38be4ddbb5a8a59a258e66782874fd353b8f04..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1390
zcmZ`(do<Ju6#mVaIhgSnWQZ&yRG#UfI@!!%c4jI=V?@ZKEe*CgLWo`SlTt{wQXYBj
z<QX%w9>uN>vs50lk>okz=g|sr$ZIsO9cTBC-9P%yckXxZx!<|>pL=eq2bH9bGC%<U
zpiUvX(f|OaNMV4Al0w3(edr27TqL*=0H7ulEeS?$b)#q`XMo$iV^&d^d7PvZPljHW
z2e`_Z-ZFQ48O=dn{!n)6fSlnj&-_sy9UybFlb*0?J#yVh;YUZ)sGfjRaoz-`Gv3U5
zd0Wch8^wxViYtL0H?mM5jGwYp`!0hp32m^(3!cp)ie8=fMPFLx3D(2Uak_#uTKf=+
zF<(VJq4UGxbWGie60119T!AS$_zu-gvL~ff>19=iQrGk7oiE-UmH9tx{_|{|$>!Ly
z9lEJ^QTmhL8wzZbs5)9|PJaIJ7Z;7jT83$QyD|Nx{3GTDa*2K0G*79-Rz}h&shMI;
zgZW8UPo?V31Ibj_xdNP3M&MjhhfP?p7L33H?iQNZrKLWONn+6;S&YZ9KK>YzJtxX`
zb{U7k_dr?gEb$aneU|?|6P_NwcnLvn0S?9JM8sO@ub~?obXOmvb8rCM<iCVCxIA%N
z)R{k85+@6bd`HuQD4@{I@|9G-PSOQeL*RieO2!e_-Q#><S<U*V`8?(e5KsYuet4OL
zXmFbUzNt6S7JNG>?<j>K9k214vtv`k{DBJrtngv%U%A+yCB5D$<nL9A<DSU{Gg^p}
z7LJ4@hT9$o9EY*^Z1dvrqstj6#*pZ9^_!=AibLi5@1KEP6}y=)B}bg+v%z}x)uyS~
zN1pb_y6mk{KC$xrz@BfX<AjC=+b{x(DDb_DRH)rq2-4Txr1eELiT4&%mzq)%g~V!Z
zGDo!{fq#EQ7<j~j$N??edQjYf1)!Z}8mbHV$@Vh8IOBZq_$$fEVNF?#<NQ&qzSr>X
zSX%ORU`&03OA`D*!G}uge#b?}An0vi`U~#7`S2a^$<-E1hpO;b_qW4%)V=<id8OE*
zFDf~_^49?iLAV6C#Bbw-0S!E41AW0(#NQ4oQ}0-?@4u-WvL8-MIOL;wtK&8}M_I~H
z##QQ6oo|QN9D$*>Ywwk}1u+WMR4dAwd~dcz?l;wjKk<81$wAg1#L;fX7;OLW_(tST
zxW5aNXF)`2)?&3hoW}D{qIr|qj=#}e`C-9O2f(3f&UEI3{hLGL(wcf-19W#G=%v??
zwH9vpHhyNP%{?-bY?H~$b`n(OmM;u%b~9!_S@grjIZ>-C>rP8Gms?A~X`$0l$a1uR
zu-W6+##j?wN${Lx+PuC8&hHS79lo$G0b5#Z%%_W(54`N4pay7S<?aU^v(ZjL?KSs4
z4BR48Syv}ms$n>F@s{JZtiDgi1pdq?(rQn_#IkEn_bx3CO0<rTwoec9=dT^u_wR}Q
zb7=pI{NAkiGUJs+L+S%n(WdvDHbm0Hko2HcbYrZQ)vR8`3e`ahXO0Qxo}wEQ>@E)2
zLW}WOR2Oozxxi@-8^I!E_SrzPG;TwHqqQym+|k$pYdpIoGc5o{EMZ&C>+(lX;u}b^
zZgeA?4*C%Lsy#t}qGy!%ZY%t+?8-H^8B(P%(&18fFdbJ+et3Y&DOc-K-JPgyF|UoG
z`10S;26tJQP>mRk`*5&YU5=NAi0ur_RO;o5(JDqv`P|)(4XlY!YJ4`(+6XBcn_z_`
zt^9<D7{JJ84u<p)PUC~`__neF%Ec89BcIWO<dt<7>5c*}wDl;zhSeD-@i&nJnw2Kq
OTNVnD>dJKvy7o8W!Dx{H

diff --git a/pocket-id.png b/pocket-id.png
new file mode 100644
index 0000000000000000000000000000000000000000..8aa7f00f905fe5b6885b8eb2db4a8fe2a969e32c
GIT binary patch
literal 4463
zcmZ`+XE<D2)ZRw#BqB=G6j#(4WsqRB=pp)zXi-O$M7fMQh?*cIdW|qzqIZS~(FHLf
zLbycl5~7#yxZkhu$M?)Lv)4Imy=U(;d#`t`H(LL`Iz0^s4FG^%Q$y7N8VMI)DhlY=
z;D-w(G>|ze=_&zG8Bcp+Lk?Z@+G-f+0^oNG0PJ%Bj-XrEWdOXz0a&#LKrR)4t4}kV
z9^8c-6pyvlRl)hiCl_D%8UUsUO;sf$--(T^KqC|5)^23K=lJpV_DonVf9~|6gG^dG
z+pP&_40D;_bNh6$)baOHNy%c`>{d^cBy=?gAAVz9)*-(6c`TKFwbPP?)2_-$RMZfm
zv@`M(*RDdP5!0gBb{J-8=$Yh;u^f~=KDJmpMlRJ4ZS7PHO}Cv+zQmXWy{tsx&<Q0a
zT}8_If|-tjnLH0<#0;Mo8Om(w%Ltfh`7F!o<CavDZ>y%4l)!a}{Oq<Nehg{%AC1<?
zgztD6N8xFfmRJTeezniKHT^w%l9_#Hr3BXr?`mMbWVKO<E~Z)PW*IDH88rWem{n*p
z9xAXsl@v*W<2XcCPE)72`(*V@WW+wwhRLsA8pI%~Csks_<u9G3OPkN$<q@OUtJ*o0
za+S8#Ik>UoDs7&6TeYnH(7T0hT)nl7CgDl-_x6@MLrZrx7g}IqKswZTQ0VAc_I&JC
z7*LDyj$txp^Bvb`&C_Cj%w;P~FznsZKRw;Imc1<f`*-o`R$C-|@u~aj<i^_)CRv)L
z4K};+88_4Lo-d}+KX&`$=OaH;g>ar-CR-+Q-%xZ>ppq+8!JpmIzrr_WGsu|Hl%KcL
z(Xdpiaw?<O?#$>CKFSvuT@#t{$ZRQ6q(*P}^=HJ}t?kF#)@vwURX3l$TPM2{+;5PC
zWTA}VCy^&jkG9lpI9(QCO``jhyNM2TEG~b04!+)MS&#M$G7H@ytG8es)$_2yTKAhP
z{=L`nJwE6qGbvgBjIE-K?Ry^UZroMj7o|qJoaa*`h3yzQhKi0vt{T1be>5fa-4#PZ
zLhL8lCMUo9Xb}0623zIX*vxL_*rv1g8X3nbbqWYCtiX+9ZTy;*waFH!sNeE2Gvj>B
zRLSURXs`R9pUsPrC60O$b0u+Jd#g37D4`KzaYe=OuEIkz4W4Uqs_ytdto9BLBS%)J
zF{~n%I_HPm9g?D=aiP~3ZdCYZcD@<J<tI}u|3Oak3iT~`eEDErUxdR&l$n@}G!7{i
zo(7)^o&H=YM5`LH6d#CvG3T+-a&)u=)&{k8bt8p2L0ar<V_(L{&1h&D1%h=|JbZ@i
zb=>vnfpG58k>8QI5(&N`NM2qNeF+^BqVc;-@5Ly*Q~C7Jo^r;#wzf8bxRTGv5Qs9w
z-M`7rgtcqK-$_k^!9acF?C@I^NkN5d3c71i`R7+jfu`5aqORW^WQqZI)_v(_u3knk
z|GIx6Z(`!%1m2O6o`Dg{d6cDW*8Ow|AJIQNP*wvV>y3XK;!)>bc%1i+1b|mQ4~-r^
z)QZo~*Jyl80eJcOOG-=MS>4@{{C-oY8h~LRXE!(8`*jx%xd0gm{(F;ieX>5DB0L-d
z^OjHhZ^?69VuoyNi{JU_{z~Dydl!zviOI>8DW87}#A)5rNx-st((Bi@-{~bFZh2BZ
zQ~S;Gy1E7x^f-@_%F2Xf5i7UG5ogF}o|Kftf_%n*G12PRVnfN3vS!GBWqOWx&#{j)
zhk>GQXD6rJa6NhZ=#G7erIKP|VuayWU_ied*&B44k@8=-uCA`6^8g!U&ySv+9t-{@
zb79LGo11G3#w$P+iEWu^4QxiA(*jU5)a3W)w%Yl+BNWmjn9{Gt8GLLG*?wgiNH={~
zSCP@LU-fl$=`EW7iRIwnD8l2Xyq?MEm?7vvK<<mHqQjGojWv7{ud|O1hXiGBhI402
z$KrIdw1|nX(VH!p-F8~B;X2pJqJyu3&hAen)E@Pxh(Q}OGe~?+EYu@rVs@6xnzwK>
z!^5K5)JA+gn@@*_XFCM>;0X-ZWKbd^A`uk14GpQ!KSM-LP#hf_ySK2guse{a#xmX(
zY_(aP_es!j`BU#}ueC7|6_~z-h3+qEYH0ml7ys?_!5q&@cEa^3);Yq*FtqDE3g|d=
zkPMHEC<_sZx}!D>z_-H0VWrBRTlOBCb-iJLGEBC#gpN|l%}ta%G6DwDNQ%nK3(3)F
z?s%V*=hR*+BR4%7A4QPl=I4JhGR^~pss0e8`$&52lU`Pq`Cq=LQn5J2J+{EpKi?wK
zDPlPlxj_#NAta0vKcTET?owm7VxXcMX7c_KHLxSg?OWN^)YCPl>g(^9paaKy8>FC$
zWcbGq9X(OAnd<TGuC9><AyYaM6b93XHVFmTjNLElJP&;B@`oPRf8W?W{$_<7z*$9U
zy5*Arw~6(K840sHR`~fhEF~X4NRg4v&HV&eVIY%r-_L2}Mozb)Qx8+q)7ely;CuAl
z@xm3b_ubKMOC>GrPF7ZyD;2PO)CR2>Mkt$Vrk9{V(_ZC(VMWaA0Qei2Re43*bj@rs
zU$0=H0WGCz)eh_qbSF|aQB^A^Cjo$$78t%xq?2NZjg3{Hgf@*0dJt;ldM}u<@;W=g
zTm-}qWul9oiMO**0Sz*O=a8a%Dm?0%^Z*mjM{;s<fMNyztpBh{g{LBeTls*D?=~-Z
zMUG9ZcI;)fLw;gAIrC|gAOq(0uB70v@a?h<2Fj%5WN3*4rdH&j3S4Y#>9_a44r2uc
ziG`dvHn-9AQGmjEEHf&eyrMYXzUOVO&t&gDt;5B|6#=Z9H0AD*0%S2BpT(U4?{KV)
zkBh^_#LysO&Nc)TNkA1>w6KUs!P|~Ve|a}<Ce$6D4TR3`e;b~4NY-n>0P@NH=9Hy7
z<H35KT7+|kQ?fjCut}t(rAK0tgz&JCHrxZ{$9c0&pX?nSNkJN?twrm}mCwPyHRHSe
zgI$ELT)oO!0%v7@;GsnWUg4!4TUc<3Skw*JR(2_DgQS!cPSL~Ck`kwR{5}jwcHeCB
zUSoCb`GJ~MiEI+-IwPgfpJ)&F+L(|+<k7@&7gR)DaEjdM#DvzNdfaekqbC~0lin3H
z$>g&%m}O*T<=!*z)A*<cO}sUt<E0M3c48S)a`?+Tb@XZtT0U;A6>jS^G>xD4lA}j1
z94fv1R!+R^xi}L9MPAQPm0!<3vBxwD{yh5KFSfGjzX>s2?wa5OJ!JIR?vi2}49j)L
zCtVaeRVjaZ1#)&}%B~2RvMGo{lrksq2?`#r^)nPWpHX3C$MtO7KRTF;*G-cEg#L%M
zO-uIe*Yon0`xg2mvd7qqrRaco#Vv&c>-f1CHtCo5Gw-6uQ{#9P?=!poSOb8SJhz}A
z{GPh{zDyZ!WSEDC2OTF-%=80d^z$n~P?z)H6Q*D5B=;y`+FeVrM9ll3&}hNfs2GIn
zAOK<|+grhfeE1esTTAELQj(HvqPV3LVfaS5BG|6FC=I-k?@TLoW8w=}SDjTlJ*$eM
zd{Nk9PYU4sEbF8o#cK0U`2wLryvb`N(dK7ySsAW3IvO{`4rXpjA(6yHg*WP@%EP^v
z1?ZTy)zvAXt@mFLwFB17z}eY(dDfDpJ@8+#GAs8ev%bE*<>}+iYSoKn6<1XycIl-K
z7alm=J!=@6Yj`%tNp$lg0X(ZO#9DJ-DFrsmN&Y1>zO*p>L;?{o4d_5B6E-i8zy8xf
zu)^vo@yi#bt(F~za0U(?lRkD}J;UEHiCL?2RluA{I1cI$j8`UW1%Vkgk%ukgB5;MB
z^=ixDy{0C)rr;kkhVH)5L{HK)HkmoOxO81Ve6aN2EGfCIm5J!|h-L&WMRj%3Gz`?w
zv|pYpJSIy@IWITOZmz3K9$^)|Au<e6GiqzWOKytQ*34Jt^g}LzmeWV~ja+am+AjbG
zNJ(F%q%763k%omX(=&Fhcr+GORgDy8m62dOfv@-6z51?3>FZ$=lM{D;zrQMGncwX&
zu<aLS1*~m=!PE}{uf_L&bED(D7YEomr2HhG(Yks;t1Ydq9o<-4s${&2GA+0Co|KT5
zlKKJ_BL(~{1u$d53YnG-M?uuj;n+h6acidADlKo#GcGkH=2nQWB=P`XB>}zc{3x4_
zAKYuR9g)W;mFD{TsQq|OfzJUv-~bhT)^FuRfS~c-qpPEMzwEuee@foJ&o`BJ$(>P<
zT!R!uuK7fZJuSJfwMd}H<Hzwi3w|o3__IjG-9}+fsLHwpgMA#ciI0nqOi@8&!DQPJ
z27{55mQD^04NEuxggZxz8ScxyHInh2{)+>J7Rgpdrly8LK?<D$H#BN%r~zFbbOh5`
zc(y8ik?zwc=VuPu+O$_r^_X3I2J#P{lNnl=kN{x{l$u)jWD2Tn>yVZ;V86a>^y_ej
zd#mO-9D`6};B+|T;0D$(pr9C>4U-?2<y$Shj{df3A?Z0L93S9B3MFPee?u5$f*sT?
z0n4C;D>vA|tE*T{aj^yh@QMM4CUFjkSn5lPi+e}Zsi90>HV}y8Q4b{n7?SZyTgppx
zpof+)qTm%8L4sW&iPF<RK|Wa$C#Y9>V0-WSM}W-)0VW2@9sbYQx#@r~3E@k-GSoPQ
zkdXopScUhRN!9*u#9cO!%8fNey48HWc?p_u*NM{im*)^);|2Wd*q8xClZmvThZ<#X
zf3s6JGin|Np`ZTxspiqJA_^ch0~Ts2=18HsLyIyoVZ8(e(-Nu{`V-79UhUR9Dh8++
zWBV8QGp6D`U4ZpXO(XMR;5Y15M#hW(HSidTM4AiS<?0-i!GEvu<jK1)aJa^8z$*Y!
z#H?`44<2aTz6={C0Y_!=aa`~C5)w3Sdp3p%Dt{%xwmvxzA!R{0F(vltu;#@HW~M;*
z*4m_9`E6)X25J5FI<qHKVELGG8|oPn^cQ!SaZj`DldvZFg@!gZZ@&dDZ`)}3%`@M4
zbC}s_#5eN((yQw?o=2#v`c8#)bO-_|6t4QVDu<!5)V<jjc2b!3qJy!qEgP{$BYek`
zjmZr0pHyJ84Jl#rhx1n05p(d6Q0!vcF_h6Wm2vMR5E2`VXYXdg7rWVPb^eorx9RAF
zqc8NxP^&=M(;zxhQth9%FX3l_z)VqB8$uu&a&QGzlN!d5+yft3eW-19@Lb@fXZA~y
z&<`$<_G^B(zNa6)696fp2TKyo@^8HP6oYj$K0FQL3L`fk_y!5VJs<5H3ymV>`Nst7
z7p?&dh%U0VI2TA4_F>2=80u7ids^B+n$S$|Yy8d)H7b|5j}D4|j7Oo1G1}r7rZs&*
znvBMuhRlzrxKiYs--6M9gX7yVcPK7Pr%f6MpUc0j1Y_#5MtmNC#HD2ZDnBF;t=$r)
zxM`@Y4R4;uzu({AR8(5>qWYJt;+Y=C`@a9R0Tmkk=Vp<keB)82@<){JV5j11P^N%Q
z4v-#^Yis>ljBxLDs19Gb)Ad&dHqc}`mnLCyPFEDEwOp(6S8f>Iavb+<k808O5Z)|r
zBv#OcfsN1oImz6y3ry;cXV)nSs#;GC>SCkZu<^NOU2Y(wh|8HbNTdE_tjk&cG`p<+
zk!<9GVT1Zjy38D+r+|ebVK9w)p_`4?E}gZw#QEiP1YCQ?rN<ms@32LnO&R0zV|cS7
zn@~WLfV=S4+#V(pGlM~k4K*g+?I0FPn44Z|W?ptSUiNaf9`?`x5aI|a5plQ(0&WCH
u%1I*S5RyXT;&S5Rn-wjQ{|DgeZijZj{QrQQ4YE5B0BEY+S1nVv4*efOg7ahm

literal 0
HcmV?d00001

diff --git a/pocket-id/.env b/pocket-id/.env
new file mode 100644
index 0000000..cc5cb8d
--- /dev/null
+++ b/pocket-id/.env
@@ -0,0 +1,11 @@
+# Pocket ID .env app configuration
+# Configures the Pocket ID application
+# File location: /srv/pocket-id/.env
+# More information - git repo: https://git.starcat.systems/starcat-infra/auth-server
+# More information - handbook: https://about.starcat.systems/handbook/infrastructure/security/pocket-id/
+# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
+APP_URL=https://id.starcat.systems
+TRUST_PROXY=true
+MAXMIND_LICENSE_KEY=*REDACTED*
+PUID=1000
+PGID=1000
\ No newline at end of file
diff --git a/pocket-id/README.md b/pocket-id/README.md
new file mode 100644
index 0000000..ad9373d
--- /dev/null
+++ b/pocket-id/README.md
@@ -0,0 +1,20 @@
+# Pocket ID README
+## what
+The Docker Compose and `.env` files that run Pocket ID
+
+## where
+```
+/srv/pocket-id/docker-compose.yml
+/srv/pocket-id/.env
+```
+
+## redacted values
+For security, secrets have been redacted from this file. StarCat team members can find these values in [1Password](https://start.1password.com/open/i?a=B5NVCNGFJBCCLCDCN5FKFPGVBI&v=35hhast2kp5lgw3iud374426oa&i=ahsb5ohjmkyvfuoudj564xucgy&h=starcatsys.1password.com). Soon, these values will be autofilled from Vault when the container starts.
+
+## making changes
+If you make changes to `.env` or need to upgrade Pocket ID, just pull the latest image and restart the service:
+
+```
+docker compose pull
+docker compose up -d
+```
\ No newline at end of file
diff --git a/pocket-id/docker-compose.yml b/pocket-id/docker-compose.yml
new file mode 100644
index 0000000..5f15efb
--- /dev/null
+++ b/pocket-id/docker-compose.yml
@@ -0,0 +1,19 @@
+# Docker Compose file for PocketID
+# Location: /srv/pocket-id/docker-compose.yml
+
+services:
+  pocket-id:
+    image: ghcr.io/pocket-id/pocket-id:v1
+    restart: unless-stopped
+    env_file: .env
+    ports:
+      - 1411:1411
+    volumes:
+      - "./data:/app/data"
+    # Optional healthcheck
+    healthcheck:
+      test: "curl -f http://localhost:1411/healthz"
+      interval: 1m30s
+      timeout: 5s
+      retries: 2
+      start_period: 10s
\ No newline at end of file