Authentik

Bug

The docker-compose version of the deployment appears bugged and has known issues, deployment via Kubernetes is required to stability and support.

Purpose: Authentik is an open-source Identity Provider, focused on flexibility and versatility. With authentik, site administrators, application developers, and security engineers have a dependable and secure solution for authentication in almost any type of environment. There are robust recovery actions available for the users and applications, including user profile and password management. You can quickly edit, deactivate, or even impersonate a user profile, and set a new password for new users or reset an existing password.

This document is based on the Official Docker-Compose Documentation. It is meant for testing / small-scale production deployments.

Docker Configuration¶

docker-compose.yml

---
version: "3.4"

services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - /srv/containers/authentik/db:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - stack.env
    networks:
        docker_network:
          ipv4_address: 192.168.5.2

  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - /srv/containers/authentik/redis:/data
    networks:
        docker_network:
          ipv4_address: 192.168.5.3

  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - /srv/containers/authentik/media:/media
      - /srv/containers/authentik/custom-templates:/templates
    env_file:
      - stack.env
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis
    networks:
        docker_network:
          ipv4_address: 192.168.5.4

  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /srv/containers/authentik/media:/media
      - /srv/containers/authentik/certs:/certs
      - /srv/containers/authentik/custom-templates:/templates
    env_file:
      - stack.env
    depends_on:
      - postgresql
      - redis
    networks:
        docker_network:
          ipv4_address: 192.168.5.5

networks:
  default:
    external:
      name: docker_network
  docker_network:
    external: true

.env

PG_PASS=<See Below>
AUTHENTIK_SECRET_KEY=<See Below>
AUTHENTIK_BOOTSTRAP_PASSWORD=<SecurePassword>
AUTHENTIK_BOOTSTRAP_TOKEN=<SecureOneTimePassword>
[email protected]

## SMTP Host Emails are sent to
#AUTHENTIK_EMAIL__HOST=localhost
#AUTHENTIK_EMAIL__PORT=25
## Optionally authenticate (don't add quotation marks to your password)
#AUTHENTIK_EMAIL__USERNAME=
#AUTHENTIK_EMAIL__PASSWORD=
## Use StartTLS
#AUTHENTIK_EMAIL__USE_TLS=false
## Use SSL
#AUTHENTIK_EMAIL__USE_SSL=false
#AUTHENTIK_EMAIL__TIMEOUT=10
## Email address authentik will send from, should have a correct @domain
#AUTHENTIK_EMAIL__FROM=authentik@localhost

Generating Passwords

Navigate to the online PWGen Password Generator to generate the passwords for PG_PASS (40 characters) and AUTHENTIK_SECRET_KEY (50 characters).

Because of a PostgreSQL limitation, only passwords up to 99 characters are supported See https://www.postgresql.org/message-id/[email protected]

Password Symbols

You may encounter the Authentik WebUI throwing Forbidden errors, and this is likely caused by you using a password with "problematic" characters for the PG_PASS environment variable. Try to avoid using , or ; or : in the password you generate.

WebUI Initial Setup¶

To start the initial setup, navigate to https://192.168.5.4:9443/if/flow/initial-setup/

Traefik Reverse Proxy Configuration¶

If the container does not run on the same host as Traefik, you will need to manually add configuration to Traefik's dynamic config file, outlined below.

http:
  routers:
    PLACEHOLDER:
      entryPoints:
        - websecure
      tls:
        certResolver: myresolver
      service: PLACEHOLDER
      rule: Host(`PLACEHOLDER.bunny-lab.io`)

  services:
    PLACEHOLDER:
      loadBalancer:
        servers:
          - url: http://PLACEHOLDER:80
        passHostHeader: true