Docker compose Installation

Prerequisites

Create a folder specifically for this app.
Add DNS record for the FQDN auth.domain.com to your server public IP address.
(If no reverse proxy installed) Add NAT rule on your router/firewall to redirect incoming connection on port 443 to your internal server IP on port 9443.

Environment file .env

Authentik uses a .env file to load environment variables, here's how to set it up :

# You can also use openssl instead: `openssl rand -base64 36`
sudo apt-get install -y pwgen
# Because of a PostgreSQL limitation, only passwords up to 99 chars are supported
# See https://www.postgresql.org/message-id/[email protected]
echo "PG_PASS=$(pwgen -s 40 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env

#Change port if necessary
echo "AUTHENTIK_PORT_HTTP=9000" >> .env
echo "AUTHENTIK_PORT_HTTPS=9443" >> .env

#Create an account on https://www.maxmind.com/en/geolite2/signup
#And generate a licence key and enter them here
echo "GEOIPUPDATE_ACCOUNT_ID=" >> .env
echo "GEOIPUPDATE_LICENSE_KEY=" >> .env
echo "AUTHENTIK_AUTHENTIK__GEOIP=/geoip/GeoLite2-City.mmdb" >> .env

#Disable data analytics
echo "AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true" >> .env

#Set version (check last version on official github)
echo "AUTHENTIK_TAG=<VERSION_HERE>" >> .env

As the official doc indicate to run authentik as root user, we can at least protect our .env file to be read only by root :

sudo chown root:root .env && sudo chmod 640 .env

Preparation

Creates the 3 folders certs, custom-templates and media inside your authentik directory

mkdir certs custom-templates media

Docker compose file

Here is my version of the docker compose template file for authentik, if you want the official one, you can download it here.

docker-compose.yml

---
version: "3.4"
services:
  dockersocket:
    container_name: authentik-dockersocket
    environment:
      POST: 1
      CONTAINERS: 1
      IMAGES: 1
    image: tecnativa/docker-socket-proxy
    networks:
      - authsocket
    restart: unless-stopped
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
  geoipupdate:
    container_name: authentik-geoip
    env_file:
      - .env
    environment:
      GEOIPUPDATE_EDITION_IDS: GeoLite2-City
      GEOIPUPDATE_FREQUENCY: "12"
    image: "maxmindinc/geoipupdate:latest"
    networks:
      - authproxy
    volumes:
      - "geoip:/usr/share/GeoIP"
  postgresql:
    container_name: authentik-postgres
    env_file:
      - .env
    environment:
      - "POSTGRES_PASSWORD=${PG_PASS}"
      - "POSTGRES_USER=${PG_USER:-authentik}"
      - "POSTGRES_DB=${PG_DB:-authentik}"
    healthcheck:
      interval: 30s
      retries: 5
      start_period: 20s
      test:
        - CMD-SHELL
        - "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
      timeout: 5s
    image: "postgres:12-alpine"
    networks:
      - authproxy
    restart: unless-stopped
    volumes:
      - "database:/var/lib/postgresql/data"
  redis:
    container_name: authentik-redis
    healthcheck:
      interval: 30s
      retries: 5
      start_period: 20s
      test:
        - CMD-SHELL
        - "redis-cli ping | grep PONG"
      timeout: 3s
    image: "redis:alpine"
    networks:
      - authproxy
    restart: unless-stopped
  server:
    command: server
    container_name: authentik-server
    env_file:
      - .env
    environment:
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__NAME: "${PG_DB:-authentik}"
      AUTHENTIK_POSTGRESQL__PASSWORD: "${PG_PASS}"
      AUTHENTIK_POSTGRESQL__USER: "${PG_USER:-authentik}"
      AUTHENTIK_REDIS__HOST: authentik-redis
    image: "${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}"
    networks:
      - authproxy
      - proxymedia
      - proxyadmin
    ports:
      - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
    restart: unless-stopped
    volumes:
      - "./media:/media"
      - "./custom-templates:/templates"
      - "geoip:/geoip"
  worker:
    command: worker
    container_name: authentik-worker
    depends_on:
      - authentik-dockersocket
    env_file:
      - .env
    environment:
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__NAME: "${PG_DB:-authentik}"
      AUTHENTIK_POSTGRESQL__PASSWORD: "${PG_PASS}"
      AUTHENTIK_POSTGRESQL__USER: "${PG_USER:-authentik}"
      AUTHENTIK_REDIS__HOST: authentik-redis
      DOCKER_HOST: authentik-dockersocket
    image: "${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}"
    networks:
      - authproxy
      - authsocket
    restart: unless-stopped
    user: root
    volumes:
      - "./media:/media"
      - "./certs:/certs"
      - "./custom-templates:/templates"
      - "geoip:/geoip"

networks:
  authproxy:
    driver: bridge
    external: false
  authsocket:
    driver: bridge
    external: false
  proxymedia:
    driver: bridge
    external: true
  proxyadmin:
    driver: bridge
    external: true

volumes:
  database:
    driver: local
  geoip:
    driver: local

As you can see, this template is tweaked compared to the original one, I added a docker-socket-proxy to secure the access to the docker socket, as the authentik worker only require access to docker images and containers.

I also separated networks for authentik :

The authproxy network contains all of the containers except authentik-dockersocket
The authsocket network contains only the worker and the dockersocket container to limit access to the socket.

In my current configuration, I use authentik as my IDP but also my Reverse-proxy. This isn't ideal as there isn't much configuration settings but for the start it's not that bad. This is why I have two network proxyadmin and proxymedia, respectively containing all server administration apps and media apps which will be accessed by everyone.

If you want to do like me, you have to create those networks with "sudo docker network create proxyadmin" and "sudo docker network create proxymedia"

If you already use a reverse proxy, delete networks proxyadmin and proxymedia, as well as their references in the authentik-server container inside docker-compose.yml

To begin the initial setup, navigate to https://auth.domain.com/if/flow/initial-setup/ or https://<your server>:9443/if/flow/initial-setup if accessed by LAN.

There you will be asked to set a password for the akadmin user.

PreviousAuthentik NextAuthentik as Reverse-Proxy

Last updated 3 years ago