Update Authentik Installation

pages/02.linux/authentik/default.en.md

@@ -7,6 +7,12 @@ visible: false
 
 ## Podman
 
+### Podman Socket
+
+Podman in version `3.0` comes with the socket already enabled for the root user.
+
+https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md
+
 ### Network and Pod
 
 ```sh
@@ -31,7 +37,7 @@ podman run --name authentik_db \
     -e POSTGRES_DB={DB NAME} \
     -v /mnt/authentik_db:/var/lib/postgresql/data \
     --pod pod_authentik \
-    -d docker.io/postgres:14
+    -d docker.io/postgres:15
 ```
 
 ### Redis
@@ -48,7 +54,7 @@ podman run --name authentik_redis \
 
 https://goauthentik.io/docs/installation/docker-compose
 
-Generate `PG_PASS` and `AUTHENTIK_SECRET_KEY` using `openssl rand -base64 40 / 50`
+Generate `PG_PASS` and `AUTHENTIK_SECRET_KEY` using `openssl rand -base64 40`
 
 ```sh
 podman run --name authentik_server \
@@ -76,7 +82,7 @@ podman run --name authentik_server \
     -v /mnt/authentik/templates:/templates \
     -v /mnt/authentik/geoip:/geoip \
     --pod pod_authentik \
-    -d ghcr.io/goauthentik/server:latest \
+    -d ghcr.io/goauthentik/server:2023.2 \
     server
 ```
 
@@ -104,16 +110,88 @@ podman run --name authentik_worker \
     -e AUTHENTIK_EMAIL__TIMEOUT=10 \
     # Email address authentik will send from, should have a correct @domain
     -e AUTHENTIK_EMAIL__FROM={EMAIL} \
-    -v /mnt/authentik/media:/media \
+    -v /var/run/podman/podman.sock:/var/run/docker.sock \
     -v /mnt/authentik/certs:/certs \
+    -v /mnt/authentik/media:/media \
     -v /mnt/authentik/templates:/templates \
     -v /mnt/authentik/geoip:/geoip \
     --pod pod_authentik \
-    -d ghcr.io/goauthentik/server:latest \
+    -d ghcr.io/goauthentik/server:2023.2 \
     worker
 ```
 
+### Nginx
+
+```nginx
+# Upstream where your authentik server is hosted.
+upstream authentik {
+    server 172.18.50.10:9443;
+    # Improve performance by keeping some connections alive.
+    keepalive 10;
+}
+
+# Upgrade WebSocket if requested, otherwise use keepalive
+map $http_upgrade $connection_upgrade_keepalive {
+    default upgrade;
+    ''      '';
+}
+
+server {
+    server_name auth.exu.li;
+
+    # Proxy site
+    location / {
+        proxy_pass https://authentik;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade_keepalive;
+    }
+
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    ssl_certificate_key /etc/acme-sh/auth.exu.li/key.pem;
+    ssl_certificate /etc/acme-sh/auth.exu.li/cert.pem;
+}
+
+server {
+    if ($host = auth.exu.li) {
+        return 301 https://$host$request_uri;
+    }
+
+    listen 80;
+    listen [::]:80;
+    server_name auth.exu.li;
+    return 404;
+}
+```
+
+### Systemd Services
+
+_TODO_
+
 ## Setup
 
 After starting all containers, visit the path `https://{SERVER IP}:{PORT}/if/flow/initial-setup/` in your browser.  
 The default user is called `akadmin`
+
+### LDAP with Jellyfin
+
+https://goauthentik.io/docs/providers/ldap/generic_setup  
+https://goauthentik.io/integrations/services/jellyfin/
+
+#### Manual LDAP Outpost
+
+https://goauthentik.io/docs/outposts/manual-deploy-docker-compose
+
+```sh
+podman run --name authentik_ldap -p 389:3389 -p 636:6636 \
+    -e AUTHENTIK_HOST=https://{AUTHENTIK URL} \
+    -e AUTHENTIK_INSECURE=false \
+    -e AUTHENTIK_TOKEN={GENERATED TOKEN} \
+    -d ghcr.io/goauthentik/ldap:2023.2
+```
+
+### SAML with Nextcloud