--- title: Authentik visible: true --- [toc] ## Podman ### Podman Socket Podman in version `3.0` comes with the socket already enabled for the root user. https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md ### Network and Pod [prism classes="language-sh command-line" cl-prompt="#"] podman network create net_authentik podman pod create --name pod_authentik --network net_authentik -p 9000:9000 -p 9443:9443 [/prism] #### Port Mappings ``` 9000: Authentik HTTP 9443: Authentik HTTPS ``` ### Database [prism classes="language-bash command-line" cl-prompt="#" cl-continuation="\\"] podman run --name authentik_db \a -e PGDATA=/var/lib/postgresql/data/pgdata \ -e POSTGRES_USER=[DB_USER] \ -e POSTGRES_PASSWORD=[DB_PASS] \ -e POSTGRES_DB=[DB_NAME] \ -v /mnt/authentik_db:/var/lib/postgresql/data \ --pod pod_authentik \ -d docker.io/postgres:15 [/prism] ### Redis ```sh podman run --name authentik_redis \ -v /mnt/authentik_redis:/data \ --pod pod_authentik \ -d docker.io/redis:7 \ redis-server --save 60 1 --loglevel warning ``` ### Application Server https://goauthentik.io/docs/installation/docker-compose Generate `PG_PASS` and `AUTHENTIK_SECRET_KEY` using `openssl rand -base64 40` ```sh podman run --name authentik_server \ -e PG_PASS={RANDOM PASS} \ -e AUTHENTIK_SECRET_KEY={RANDOM SECRET} \ -e AUTHENTIK_REDIS__HOST=authentik_redis \ -e AUTHENTIK_POSTGRESQL__HOST=authentik_db \ -e AUTHENTIK_POSTGRESQL__USER={DB USER} \ -e AUTHENTIK_POSTGRESQL__NAME={DB NAME} \ -e AUTHENTIK_POSTGRESQL__PASSWORD={DB PASS} \ # SMTP Host Emails are sent to -e AUTHENTIK_EMAIL__HOST={SMTP SERVER} \ -e AUTHENTIK_EMAIL__PORT=465 \ # Optionally authenticate (don't add quotation marks to your password) -e AUTHENTIK_EMAIL__USERNAME={SMTP USER} \ -e AUTHENTIK_EMAIL__PASSWORD={SMTP PASS} \ # Use StartTLS -e AUTHENTIK_EMAIL__USE_TLS=false \ # Use SSL -e AUTHENTIK_EMAIL__USE_SSL=true \ -e AUTHENTIK_EMAIL__TIMEOUT=10 \ # Email address authentik will send from, should have a correct @domain -e AUTHENTIK_EMAIL__FROM={EMAIL} \ -v /mnt/authentik/media:/media \ -v /mnt/authentik/templates:/templates \ -v /mnt/authentik/geoip:/geoip \ --pod pod_authentik \ -d ghcr.io/goauthentik/server:2023.2 \ server ``` ### Application Worker ```sh podman run --name authentik_worker \ -e PG_PASS={RANDOM PASS} \ -e AUTHENTIK_SECRET_KEY={RANDOM SECRET} \ -e AUTHENTIK_REDIS__HOST=authentik_redis \ -e AUTHENTIK_POSTGRESQL__HOST=authentik_db \ -e AUTHENTIK_POSTGRESQL__USER={DB USER} \ -e AUTHENTIK_POSTGRESQL__NAME={DB NAME} \ -e AUTHENTIK_POSTGRESQL__PASSWORD={DB PASS} \ # SMTP Host Emails are sent to -e AUTHENTIK_EMAIL__HOST={SMTP SERVER} \ -e AUTHENTIK_EMAIL__PORT=465 \ # Optionally authenticate (don't add quotation marks to your password) -e AUTHENTIK_EMAIL__USERNAME={SMTP USER} \ -e AUTHENTIK_EMAIL__PASSWORD={SMTP PASS} \ # Use StartTLS -e AUTHENTIK_EMAIL__USE_TLS=false \ # Use SSL -e AUTHENTIK_EMAIL__USE_SSL=true \ -e AUTHENTIK_EMAIL__TIMEOUT=10 \ # Email address authentik will send from, should have a correct @domain -e AUTHENTIK_EMAIL__FROM={EMAIL} \ -v /var/run/podman/podman.sock:/var/run/docker.sock \ -v /mnt/authentik/certs:/certs \ -v /mnt/authentik/media:/media \ -v /mnt/authentik/templates:/templates \ -v /mnt/authentik/geoip:/geoip \ --pod pod_authentik \ -d ghcr.io/goauthentik/server:2023.2 \ worker ``` ### Nginx ```nginx # Upstream where your authentik server is hosted. upstream authentik { server 172.18.50.10:9443; # Improve performance by keeping some connections alive. keepalive 10; } # Upgrade WebSocket if requested, otherwise use keepalive map $http_upgrade $connection_upgrade_keepalive { default upgrade; '' ''; } server { server_name auth.exu.li; # Proxy site location / { proxy_pass https://authentik; proxy_http_version 1.1; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_keepalive; } listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate_key /etc/acme-sh/auth.exu.li/key.pem; ssl_certificate /etc/acme-sh/auth.exu.li/cert.pem; } server { if ($host = auth.exu.li) { return 301 https://$host$request_uri; } listen 80; listen [::]:80; server_name auth.exu.li; return 404; } ``` ### Systemd Services _TODO_ ## Setup After starting all containers, visit the path `https://{SERVER IP}:{PORT}/if/flow/initial-setup/` in your browser. The default user is called `akadmin` ## Manual LDAP Outpost Manual deployment of outposts is necessary, if no integration for kubernetes or docker is provided to authentik. Outposts are available as OCI-containers and can be deployed like any other container. https://goauthentik.io/docs/outposts/manual-deploy-docker-compose ```sh podman run --name authentik_ldap -p 389:3389 -p 636:6636 \ -e AUTHENTIK_HOST=https://{AUTHENTIK URL} \ -e AUTHENTIK_INSECURE=false \ -e AUTHENTIK_TOKEN={GENERATED TOKEN} \ -d ghcr.io/goauthentik/ldap:2023.2 ```