Authentik - Identity & SSO Provider
Authentik is “an open-source Identity Provider focused on flexibility and versatility.” It acts as a user database and an authentication/authorization provider for Cloudflare Access and other web apps.
Deployment
Authentik requires (at least) 4 Docker containers:
| Image | Purpose |
|---|---|
ghcr.io/authentik/server:2022.11.1 |
The main Authentik server |
ghcr.io/authentik/server:2022.11.1 |
Authentik backend worker |
postgres:12-alpine |
Database |
redis:alpine |
Cache server |
Authentik provides a tutorial for setting up Authentik using Docker Compose. It is highly recommended to carefully read the entire tutorial. Also read the Terminology page as it'll become required knowledge while configuring Authentik.
We deploy the Authentik stack using the following Docker Compose file and environment file.
docker-compose.yml
---
version: '3.4'
services:
database:
image: postgres:12-alpine
container_name: authdb
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=${PG_PASS:?database password required}
- POSTGRES_USER=${PG_USER:-authentik}
- POSTGRES_DB=${PG_DB:-authentik}
env_file:
- .env
redis:
image: redis:alpine
container_name: authredis
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep -Fq PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
server:
image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
container_name: authentik
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: database
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
# WORKERS: 2
env_file:
- .env
networks:
- default
- swag
worker:
image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
container_name: authentik-worker
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: database
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
env_file:
- .env
volumes:
database:
driver: local
networks:
swag:
external: true
name: swag_default
.env
AUTHENTIK_VERSION=2022.11.1
PG_PASS=[redacted]
AUTHENTIK_EMAIL__HOST=mail.kasad.com
AUTHENTIK_EMAIL__PORT=465
AUTHENTIK_EMAIL__USE_SSL=true
AUTHENTIK_EMAIL__TIMEOUT=10
AUTHENTIK_EMAIL__FROM=Kasad Auth <no-reply@auth2.kasad.com>
AUTHENTIK_EMAIL__USERNAME=authentik
AUTHENTIK_EMAIL__PASSWORD=[redacted]
AUTHENTIK_SECRET_KEY=[redacted]
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
SWAG network
Since our Authentik instance is reverse-proxied behind the Secure Web Application Gateway, the SWAG container needs network access to the Bitwarden container. This has been done in the Compose stack above. See this explanation for details.
Configuration
The configuration required to get Authentik working according to my specifications is extensive. It's also still changing significantly. Because of this, I will leave the writing of the rest of this page for a later date.
To do: document Authentik configuration
No Comments