Introduction
We will do the setup on the manager node that is already the docker swarm manager and running our traefik proxy setup. Normally I would use another container for this, but in my testing trying to split everything apart at the starting stages just does not work. Althoug I have not tried again after using an acutal VM for the docker swarm manager.
Setup
My docker compose file is pretty close to stock. You can get the stock compose file right from authentik by running
wget https://goauthentik.io/docker-compose.yml
Make sure you do this in the folder you want to have it (like the docker-compose folder on the mnt and then another folder named authentik). As of 2024/06/23 you will get something like the following
authentik docker-compose.yml
---
services:
# -- postgresql
postgresql:
image: docker.io/library/postgres:16-alpine
container_name: authentik-postgresql
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- /mnt/configs/authentik/pg-data:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
env_file:
- .env
networks:
- [YOUR_CUSTOM_NETWORK_NAME]
# -- redis setup
redis:
image: docker.io/library/redis:alpine
container_name: authentik-redis
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- /configs/authentik/redis-data:/data
networks:
- [YOUR_CUSTOM_NETWORK_NAME]
# -- authentik server setup
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.1}
container_name: authentik-server
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: authentik-redis
AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_INSECURE: "False"
AUTHENTIK_CERTIFICATE: ""
AUTHENTIK_KEY: ""
LOG_LEVEL: "ERROR"
LOG_FILE: "/media/authentik.log"
volumes:
- /mnt/configs/authentik/media:/media
- /mnt/configs/authentik/custom-templates:/templates
env_file:
- .env
ports:
- "${COMPOSE_PORT_HTTP:-9000}:9000"
# - "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
- postgresql
- redis
networks:
- [YOUR_CUSTOM_NETWORK_NAME]
labels:
- traefik.enable=true
- traefik.http.routers.authentik-secure.rule=Host(`authentik.[YOUR_FQDN]`)
- traefik.http.routers.authentik-secure.entrypoints=websecure
- traefik.http.routers.authentik-secure.tls.certresolver=cloudflare
- traefik.http.services.authentik.loadbalancer.server.port=9000
# -- authentik worker setup
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.1}
container_name: authentik-worker
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: authentik-redis
AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /mnt/configs/authentik/media:/media
- /mnt/configs/traefik-v5/certs:/certs
- /mnt/configs/authentik/custom-templates:/templates
env_file:
- .env
depends_on:
- postgresql
- redis
networks:
- [YOUR_CUSTOM_NETWORK_NAME]
volumes:
database:
driver: local
redis:
driver: local
networks:
[YOUR_CUSTOM_NETWORK_NAME]:
external: true
driver: overlay
Now on to what I changed to get this to work
Network setup for Traefik
- [YOUR_CUSTOM_NETWORK_NAME]
Change the above to the nework you created for Traefik.
Next up is adding the labels to the server section, as we are not going to deploy this as a stack and thus in swarm mode we do not need to have a special section with deploy for our labels to sit in
```yml title="add to the server service"
labels:
- traefik.enable=true
- traefik.http.routers.authentik-secure.rule=Host(`authentik.[YOUR_FQDN]`)
- traefik.http.routers.authentik-secure.entrypoints=websecure
- traefik.http.routers.authentik-secure.tls.certresolver=cloudflare
- traefik.http.services.authentik.loadbalancer.server.port=9000
This is just a basic set of labels to get traefik to see the authentik container and route to it.
Now those keen-eyed will have noticed the .env file being used, we will now create that (it will need to be stored in the same directory as the docker-compose.yml).
touch .env
echo "PG_PASS=$(pwgen -s 40 1)" >> .env
The above command will generate PG_PASS for the postgreSQL database that is being setup in the docker-compose.yml and adds it directly to the .env.
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
This creates the AUTHENTIK_SECRET_KEY value, and adds it directly to the .env file.
Now as per the installation documentation we need to setup the E-Mail server. The information below is if you are using ProtonMail Business, I have not tested this with any other E-Mail service. The information required comes from ProtonMail themselves
vi .env
add the following with your information to the .env
# -- Enable/Disable error reporting true=on false=off
AUTHENTIK_ERROR_REPORTING__ENABLED=true
# -- SMTP Email setup, this is to send emails from the server to the user
# -- For Protonmail see this URL https://proton.me/support/smtp-submission you will need a Business, Visionary or Family account
AUTHENTIK_EMAIL__HOST=smtp.protonmail.ch
AUTHENTIK_EMAIL__PORT=587
# -- For Protonmail the username will be the Email address you selected on the SMTP Token page and the password will be the token that was generated
AUTHENTIK_EMAIL__USERNAME=[PROTON_EMAIL]
AUTHENTIK_EMAIL__PASSWORD=[PROTON_TOKEN]
# -- Enable/Disable StartTLS, for Proton this needs to be true
AUTHENTIK_EMAIL__USE_TLS=true
# -- Enable/Disable SSL, keep this disabled for Proton as we are using StartTLS
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# -- Set the Email that Authentik will show in the From field. This actually gets set automatically by Proton (or it should) when we setup the SMTP token, but keep it the same to avoid any issues with DMRAC/DKIM/SPF
# -- as other providers could reject the email.
AUTHENTIK_EMAIL__FROM=[PROTON_EMAIL]
Your full .env should now look something like this
complete .env
# -- Generated by using echo "PG_PASS=$(pwgen -s 40 1)" >> .env
PG_PASS=[GENERATED_PASSWORD]
# -- Generated by using echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
AUTHENTIK_SECRET_KEY=[GENERATED_SECRET]
# -- Enable/Disable error reporting true=on false=off
AUTHENTIK_ERROR_REPORTING__ENABLED=true
# -- SMTP Email setup, this is to send emails from the server to the user
# -- For Protonmail see this URL https://proton.me/support/smtp-submission you will need a Business, Visionary or Family account
AUTHENTIK_EMAIL__HOST=smtp.protonmail.ch
AUTHENTIK_EMAIL__PORT=587
# -- For Protonmail the username will be the Email address you selected on the SMTP Token page and the password will be the token that was generated
AUTHENTIK_EMAIL__USERNAME=[PROTON_EMAIL]
AUTHENTIK_EMAIL__PASSWORD=[PROTON_TOKEN]
# -- Enable/Disable StartTLS, for Proton this needs to be true
AUTHENTIK_EMAIL__USE_TLS=true
# -- Enable/Disable SSL, keep this disabled for Proton as we are using StartTLS
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# -- Set the Email that Authentik will show in the From field. This actually gets set automatically by Proton (or it should) when we setup the SMTP token, but keep it the same to avoid any issues with DMRAC/DKIM/SPF
# -- as other providers could reject the email.
AUTHENTIK_EMAIL__FROM=[PROTON_EMAIL]