Skip to main content

Authentik - Identity & SSO Provider

Authentik is "an open-source Identity Provider focused on flexibility and versatility." It acts as a user database and an authentication/authorization provider for Cloudflare Access and other web apps.

Deployment

Authentik requires (at least) 4 Docker containers:

Image Purpose
ghcr.io/authentik/server:2022.8.2 The main Authentik server
ghcr.io/authentik/server:2022.8.2 Authentik backend worker
postgres:12-alpine Database
redis:alpine Cache server

Authentik provides a tutorial for setting up Authentik using Docker Compose. It is highly recommended to carefully read the entire tutorial. Also read the Terminology page as it'll become required knowledge while configuring Authentik.

We deploy the Authentik stack using the following Docker Compose file and environment file.

docker-compose.yml

---
version: '3.4'

services:
  database:
    image: postgres:12-alpine
    container_name: authdb
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=${PG_PASS:?database password required}
      - POSTGRES_USER=${PG_USER:-authentik}
      - POSTGRES_DB=${PG_DB:-authentik}
    env_file:
      - .env
      
  redis:
    image: redis:alpine
    container_name: authredis
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep -Fq PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
      
  server:
    image: ghcr.io/goauthentik/server:2022.8.2
    container_name: authentik
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: database
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      # WORKERS: 2
    env_file:
      - .env
    networks:
      - default
      - swag

  worker:
    image: ghcr.io/goauthentik/server:2022.8.2
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: database
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
    env_file:
      - .env

volumes:
  database:
    driver: local
    
networks:
  swag:
    external: true
    name: swag_default

.env

PG_PASS=[redacted]
AUTHENTIK_EMAIL__HOST=mail.kasad.com
AUTHENTIK_EMAIL__PORT=465
AUTHENTIK_EMAIL__USE_SSL=true
AUTHENTIK_EMAIL__TIMEOUT=10
AUTHENTIK_EMAIL__FROM=Kasad Auth <no-reply@auth2.kasad.com>
AUTHENTIK_EMAIL__USERNAME=authentik
AUTHENTIK_EMAIL__PASSWORD=[redacted]
AUTHENTIK_SECRET_KEY=[redacted]
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME=false
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true

SWAG network

Since our Authentik instance is reverse-proxied behind the Secure Web Application Gateway, the SWAG container needs network access to the Bitwarden container. This has been done in the Compose stack above. See this explanation for details.

Configuration

The configuration required to get Authentik working according to my specifications is extensive. It's also still changing significantly. Because of this, I will leave the writing of the rest of this page for a later date.

To do: document Authentik configuration