🔑 Authentik

Authentik makes it easy to build enterprise-grade SSO and OpenID authentication to your infrastructure.

Welcome | authentik
Making authentication simple.

Authentik (code) handles Authentication ("AuthN") so you don't have to.

If you need SSO, or an OpenID provider, Authentik does that and more. It also provides your users with a nice login screen with a listing of apps, similar to what you might get from other enterprise solutions.

Authentik application login screen (source: https://goauthentik.io/docs/)

Authentik is a fantastic tool to use in an enterprise environment or a homelab setup – it can be used as a proxy middleware (via nginx or traefik or similar proxies) to do authentication and allow/prevent access to hosted applications.

Authentik also comes with a very robust authentication event modeling system – you can build custom flows that request different credentials, and interact with applications. Along with that, you get some nice statistics and monitoring tools:

Authentik system overview page (source: https://goauthentik.io/docs/)

Running Authentik

Authentik has excellent documentation, and getting started with docker-compose is well documented. That said, it's not simple to run Authentik – there are at least a few moving parts compared to some other simpler AuthN solutions.

Assuming you're working with postgres, getting started looks something like this:

---
version: '3.4'

services:

  # Authentik itself
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.12.2}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    ports:
      - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
      - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"

  # Authentik worker that processes jobs
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.12.2}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the 

  # DB instance 
  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=${PG_PASS:?database password required}
      - POSTGRES_USER=${PG_USER:-authentik}
      - POSTGRES_DB=${PG_DB:-authentik}
    env_file:
      - .env
      
  # Caching 
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
      
permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    env_file:
      - .env

volumes:
  database:
    driver: local
  redis:
    driver: local