wiki-grav/pages/02.linux/authentik/default.en.md

214 lines
5.5 KiB
Markdown
Raw Normal View History

2022-10-10 19:17:35 +02:00
---
title: Authentik
visible: true
2022-10-10 19:17:35 +02:00
---
[toc]
2022-12-16 11:46:32 +01:00
2022-10-10 19:17:35 +02:00
## Podman
2022-12-16 11:46:32 +01:00
2023-02-28 18:40:09 +01:00
### Podman Socket
Podman in version `3.0` comes with the socket already enabled for the root user.
> [https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md)
2023-02-28 18:40:09 +01:00
2022-10-10 19:17:35 +02:00
### Network and Pod
2022-12-16 11:46:32 +01:00
[shroot]
podman network create net_authentik
podman pod create --name pod_authentik --network net_authentik -p 9000:9000 -p 9443:9443
[/shroot]
2022-10-10 19:17:35 +02:00
#### Port Mappings
2022-12-16 11:46:32 +01:00
2022-10-10 19:17:35 +02:00
```
2023-02-26 21:18:12 +01:00
9000: Authentik HTTP
9443: Authentik HTTPS
2022-10-10 19:17:35 +02:00
```
### Database
[shroot]
2023-06-02 17:55:20 +02:00
```sh
podman run --name authentik_db \
-e PGDATA=/var/lib/postgresql/data/pgdata \
-e POSTGRES_USER=${DB_USER} \
-e POSTGRES_PASSWORD=[DB_PASS] \
-e POSTGRES_DB=[DB_NAME] \
-v /mnt/authentik_db:/var/lib/postgresql/data \
2022-10-10 19:17:35 +02:00
--pod pod_authentik \
-d docker.io/postgres:15
2023-06-02 17:55:20 +02:00
```
[/shroot]
2022-10-10 19:17:35 +02:00
### Redis
2022-12-16 11:46:32 +01:00
[shroot]
2023-06-02 17:55:20 +02:00
```sh
2023-02-19 15:21:41 +01:00
podman run --name authentik_redis \
2022-10-10 19:17:35 +02:00
-v /mnt/authentik_redis:/data \
--pod pod_authentik \
-d docker.io/redis:7 \
redis-server --save 60 1 --loglevel warning
```
2023-06-02 17:55:20 +02:00
[/shroot]
2022-10-10 19:17:35 +02:00
### Application Server
2022-12-16 11:46:32 +01:00
2022-10-10 19:17:35 +02:00
https://goauthentik.io/docs/installation/docker-compose
2022-12-16 11:46:32 +01:00
2023-02-28 18:40:09 +01:00
Generate `PG_PASS` and `AUTHENTIK_SECRET_KEY` using `openssl rand -base64 40`
2022-10-10 19:17:35 +02:00
[shroot]
2023-06-02 17:55:20 +02:00
2023-06-02 17:51:04 +02:00
```sh
2023-02-26 21:18:12 +01:00
podman run --name authentik_server \
-e PG_PASS={RANDOM PASS} \
-e AUTHENTIK_SECRET_KEY={RANDOM SECRET} \
-e AUTHENTIK_REDIS__HOST=authentik_redis \
-e AUTHENTIK_POSTGRESQL__HOST=authentik_db \
-e AUTHENTIK_POSTGRESQL__USER={DB USER} \
-e AUTHENTIK_POSTGRESQL__NAME={DB NAME} \
-e AUTHENTIK_POSTGRESQL__PASSWORD={DB PASS} \
# SMTP Host Emails are sent to
-e AUTHENTIK_EMAIL__HOST={SMTP SERVER} \
-e AUTHENTIK_EMAIL__PORT=465 \
# Optionally authenticate (don't add quotation marks to your password)
-e AUTHENTIK_EMAIL__USERNAME={SMTP USER} \
-e AUTHENTIK_EMAIL__PASSWORD={SMTP PASS} \
# Use StartTLS
-e AUTHENTIK_EMAIL__USE_TLS=false \
# Use SSL
-e AUTHENTIK_EMAIL__USE_SSL=true \
-e AUTHENTIK_EMAIL__TIMEOUT=10 \
# Email address authentik will send from, should have a correct @domain
-e AUTHENTIK_EMAIL__FROM={EMAIL} \
-v /mnt/authentik/media:/media \
-v /mnt/authentik/templates:/templates \
-v /mnt/authentik/geoip:/geoip \
--pod pod_authentik \
2023-02-28 18:40:09 +01:00
-d ghcr.io/goauthentik/server:2023.2 \
2023-02-26 21:18:12 +01:00
server
2023-06-02 17:51:04 +02:00
```
2023-06-02 17:55:20 +02:00
[/shroot]
2022-10-10 19:17:35 +02:00
### Application Worker
2022-12-16 11:46:32 +01:00
[shroot]
2023-06-02 17:55:20 +02:00
```sh
2023-02-26 21:18:12 +01:00
podman run --name authentik_worker \
-e PG_PASS={RANDOM PASS} \
-e AUTHENTIK_SECRET_KEY={RANDOM SECRET} \
-e AUTHENTIK_REDIS__HOST=authentik_redis \
-e AUTHENTIK_POSTGRESQL__HOST=authentik_db \
-e AUTHENTIK_POSTGRESQL__USER={DB USER} \
-e AUTHENTIK_POSTGRESQL__NAME={DB NAME} \
-e AUTHENTIK_POSTGRESQL__PASSWORD={DB PASS} \
# SMTP Host Emails are sent to
-e AUTHENTIK_EMAIL__HOST={SMTP SERVER} \
-e AUTHENTIK_EMAIL__PORT=465 \
# Optionally authenticate (don't add quotation marks to your password)
-e AUTHENTIK_EMAIL__USERNAME={SMTP USER} \
-e AUTHENTIK_EMAIL__PASSWORD={SMTP PASS} \
# Use StartTLS
-e AUTHENTIK_EMAIL__USE_TLS=false \
# Use SSL
-e AUTHENTIK_EMAIL__USE_SSL=true \
-e AUTHENTIK_EMAIL__TIMEOUT=10 \
# Email address authentik will send from, should have a correct @domain
-e AUTHENTIK_EMAIL__FROM={EMAIL} \
2023-02-28 18:40:09 +01:00
-v /var/run/podman/podman.sock:/var/run/docker.sock \
2023-02-26 21:18:12 +01:00
-v /mnt/authentik/certs:/certs \
2023-02-28 18:40:09 +01:00
-v /mnt/authentik/media:/media \
2023-02-26 21:18:12 +01:00
-v /mnt/authentik/templates:/templates \
-v /mnt/authentik/geoip:/geoip \
--pod pod_authentik \
2023-02-28 18:40:09 +01:00
-d ghcr.io/goauthentik/server:2023.2 \
2023-02-26 21:18:12 +01:00
worker
```
2023-06-02 17:55:20 +02:00
[/shroot]
2022-12-16 11:46:32 +01:00
2023-02-28 18:40:09 +01:00
### Nginx
```nginx
# Upstream where your authentik server is hosted.
upstream authentik {
server 172.18.50.10:9443;
# Improve performance by keeping some connections alive.
keepalive 10;
}
# Upgrade WebSocket if requested, otherwise use keepalive
map $http_upgrade $connection_upgrade_keepalive {
default upgrade;
'' '';
}
server {
server_name auth.exu.li;
# Proxy site
location / {
proxy_pass https://authentik;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade_keepalive;
}
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate_key /etc/acme-sh/auth.exu.li/key.pem;
ssl_certificate /etc/acme-sh/auth.exu.li/cert.pem;
}
server {
if ($host = auth.exu.li) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name auth.exu.li;
return 404;
}
```
### Systemd Services
_TODO_
2023-02-26 21:18:12 +01:00
## Setup
2022-10-10 19:17:35 +02:00
2023-02-26 21:18:12 +01:00
After starting all containers, visit the path `https://{SERVER IP}:{PORT}/if/flow/initial-setup/` in your browser.
The default user is called `akadmin`
2023-02-28 18:40:09 +01:00
2023-04-02 15:54:14 +02:00
## Manual LDAP Outpost
2023-02-28 18:40:09 +01:00
2023-04-02 15:54:14 +02:00
Manual deployment of outposts is necessary, if no integration for kubernetes or docker is provided to authentik.
Outposts are available as OCI-containers and can be deployed like any other container.
2023-02-28 18:40:09 +01:00
> [https://goauthentik.io/docs/outposts/manual-deploy-docker-compose](https://goauthentik.io/docs/outposts/manual-deploy-docker-compose)
2023-02-28 18:40:09 +01:00
[shroot]
2023-06-02 17:55:20 +02:00
2023-06-02 17:51:04 +02:00
```sh
2023-02-28 18:40:09 +01:00
podman run --name authentik_ldap -p 389:3389 -p 636:6636 \
-e AUTHENTIK_HOST=https://{AUTHENTIK URL} \
-e AUTHENTIK_INSECURE=false \
-e AUTHENTIK_TOKEN={GENERATED TOKEN} \
-d ghcr.io/goauthentik/ldap:2023.2
2023-06-02 17:51:04 +02:00
```
2023-06-02 17:55:20 +02:00
[/shroot]