diff --git a/authentik/compose.yml b/authentik/compose.yml
index 10f5b5c..7984f66 100644
--- a/authentik/compose.yml
+++ b/authentik/compose.yml
@@ -2,8 +2,12 @@ services:
   postgresql:
     image: docker.io/library/postgres:16-alpine
     restart: unless-stopped
+    labels:
+      - diun.enable=true
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -d $${PG_DB} -U $${PG_USER}"]
+      test:
+        - CMD-SHELL
+        - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
       start_period: 20s
       interval: 30s
       retries: 5
@@ -14,15 +18,18 @@ services:
       POSTGRES_PASSWORD: ${PG_PASS:?database password required}
       POSTGRES_USER: ${PG_USER:-authentik}
       POSTGRES_DB: ${PG_DB:-authentik}
-      POSTGRES_PORT: ${PG_PORT:-5432}
     env_file:
       - .env
   redis:
     image: docker.io/library/redis:alpine
     command: --save 60 1 --loglevel warning
     restart: unless-stopped
+    labels:
+      - diun.enable=true
     healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      test:
+        - CMD-SHELL
+        - redis-cli ping | grep PONG
       start_period: 20s
       interval: 30s
       retries: 5
@@ -30,10 +37,13 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ghcr.io/goauthentik/server:2025.2.0
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-latest}
     restart: unless-stopped
     command: server
+    labels:
+      - diun.enable=true
     environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
       AUTHENTIK_REDIS__HOST: redis
       AUTHENTIK_POSTGRESQL__HOST: postgresql
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
@@ -45,18 +55,21 @@ services:
     env_file:
       - .env
     ports:
-      - "${COMPOSE_PORT_HTTP:-9000}:9000"
-      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+      - ${COMPOSE_PORT_HTTP:-9000}:9000
+      - ${COMPOSE_PORT_HTTPS:-9443}:9443
     depends_on:
       postgresql:
         condition: service_healthy
       redis:
         condition: service_healthy
   worker:
-    image: ghcr.io/goauthentik/server:2025.2.0
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
     restart: unless-stopped
     command: worker
+    labels:
+      - diun.enable=true
     environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
       AUTHENTIK_REDIS__HOST: redis
       AUTHENTIK_POSTGRESQL__HOST: postgresql
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
@@ -81,9 +94,9 @@ services:
         condition: service_healthy
       redis:
         condition: service_healthy
-
 volumes:
   database:
     driver: local
   redis:
     driver: local
+networks: {}