From f8a4ab16140e267f3787448fb448ed2dfa4f67ff Mon Sep 17 00:00:00 2001 From: RealStickman Date: Tue, 28 Feb 2023 18:40:09 +0100 Subject: [PATCH] Update Authentik Installation --- pages/02.linux/authentik/default.en.md | 88 ++++++++++++++++++++++++-- 1 file changed, 83 insertions(+), 5 deletions(-) diff --git a/pages/02.linux/authentik/default.en.md b/pages/02.linux/authentik/default.en.md index dce5fb8..9b067d7 100644 --- a/pages/02.linux/authentik/default.en.md +++ b/pages/02.linux/authentik/default.en.md @@ -7,6 +7,12 @@ visible: false ## Podman +### Podman Socket + +Podman in version `3.0` comes with the socket already enabled for the root user. + +https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md + ### Network and Pod ```sh @@ -31,7 +37,7 @@ podman run --name authentik_db \ -e POSTGRES_DB={DB NAME} \ -v /mnt/authentik_db:/var/lib/postgresql/data \ --pod pod_authentik \ - -d docker.io/postgres:14 + -d docker.io/postgres:15 ``` ### Redis @@ -48,7 +54,7 @@ podman run --name authentik_redis \ https://goauthentik.io/docs/installation/docker-compose -Generate `PG_PASS` and `AUTHENTIK_SECRET_KEY` using `openssl rand -base64 40 / 50` +Generate `PG_PASS` and `AUTHENTIK_SECRET_KEY` using `openssl rand -base64 40` ```sh podman run --name authentik_server \ @@ -76,7 +82,7 @@ podman run --name authentik_server \ -v /mnt/authentik/templates:/templates \ -v /mnt/authentik/geoip:/geoip \ --pod pod_authentik \ - -d ghcr.io/goauthentik/server:latest \ + -d ghcr.io/goauthentik/server:2023.2 \ server ``` @@ -104,16 +110,88 @@ podman run --name authentik_worker \ -e AUTHENTIK_EMAIL__TIMEOUT=10 \ # Email address authentik will send from, should have a correct @domain -e AUTHENTIK_EMAIL__FROM={EMAIL} \ - -v /mnt/authentik/media:/media \ + -v /var/run/podman/podman.sock:/var/run/docker.sock \ -v /mnt/authentik/certs:/certs \ + -v /mnt/authentik/media:/media \ -v /mnt/authentik/templates:/templates \ -v /mnt/authentik/geoip:/geoip \ --pod pod_authentik \ - -d ghcr.io/goauthentik/server:latest \ + -d ghcr.io/goauthentik/server:2023.2 \ worker ``` +### Nginx + +```nginx +# Upstream where your authentik server is hosted. +upstream authentik { + server 172.18.50.10:9443; + # Improve performance by keeping some connections alive. + keepalive 10; +} + +# Upgrade WebSocket if requested, otherwise use keepalive +map $http_upgrade $connection_upgrade_keepalive { + default upgrade; + '' ''; +} + +server { + server_name auth.exu.li; + + # Proxy site + location / { + proxy_pass https://authentik; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_keepalive; + } + + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate_key /etc/acme-sh/auth.exu.li/key.pem; + ssl_certificate /etc/acme-sh/auth.exu.li/cert.pem; +} + +server { + if ($host = auth.exu.li) { + return 301 https://$host$request_uri; + } + + listen 80; + listen [::]:80; + server_name auth.exu.li; + return 404; +} +``` + +### Systemd Services + +_TODO_ + ## Setup After starting all containers, visit the path `https://{SERVER IP}:{PORT}/if/flow/initial-setup/` in your browser. The default user is called `akadmin` + +### LDAP with Jellyfin + +https://goauthentik.io/docs/providers/ldap/generic_setup +https://goauthentik.io/integrations/services/jellyfin/ + +#### Manual LDAP Outpost + +https://goauthentik.io/docs/outposts/manual-deploy-docker-compose + +```sh +podman run --name authentik_ldap -p 389:3389 -p 636:6636 \ + -e AUTHENTIK_HOST=https://{AUTHENTIK URL} \ + -e AUTHENTIK_INSECURE=false \ + -e AUTHENTIK_TOKEN={GENERATED TOKEN} \ + -d ghcr.io/goauthentik/ldap:2023.2 +``` + +### SAML with Nextcloud