The CWAD outpost secures backend automation tools—specifically the Calibre-Web Automated Downloader—by enforcing Authentik authentication flows. It joins both frontend_net and backend_net so it can terminate inbound requests while still reaching the protected upstream container.【F:authentik/compose.yml†L78-L82】
ghcr.io/goauthentik/proxy:2025.8.4unless-stoppedfrontend_net, backend_netAUTHENTIK_HOST points to the primary Authentik instance and should remain aligned with TLS certificates issued for auth.bryanwank.com.AUTHENTIK_TOKEN must correspond to the CWAD provider token generated in Authentik. If the provider is re-created, this value must be rotated in the compose definition or Docker secret store.【F:authentik/compose.yml†L78-L82】backend_net allows it to reach Calibre-Web Automated Downloader without exposing that service directly on the public reverse proxy.LISTEN override if you need the outpost to bind a non-default port; otherwise it listens on 9000 internally and is consumed through Docker networking.