Skip to content
Docs & Guides

Authentik

Setting up Authentik with Docker Compose

Note: The documentation below is using steps from the Offical Authentik Documentation, that can be found here Authentik Installation using Docker Compose. This link provides additional details on configuration options and advanced setup instructions.

Introduction to Authentik

Authentik is an open-source Identity Provider (IdP) designed to be flexible and verasatile.

Prerequisites

  • Docker
  • Docker Compose

Why Choose Authentik?

Authentik stands out as an open-source Identity Provider (IdP) due to the flexibility, versatility, as well as the feature set. Its designed to a variety of deployments, whether that be for personal homelab deployments or large-scale deployments and offering:

  • Robust Authentication & Authorisation - Streamline access to the applications used with Authentik with the various authentication methods.
  • Federation Capabilities - Add multiple other IdPs, to expand the authentication options.
  • User-friendly Interface - Manage all aspects of Authentik through the clean and intuitive dashboard, authentication flows, users and applications.
  • Extensibility - Customisation of Authentik is possible, to allow the service to fit specific needs and requirements such as flexibily policy engine and extensive API.

Security - Best Practises

To ensure a secure Authentik deployment, consider the following:

  • Use HTTPS - Configure Authentik to be accessible over HTTPS. Production should always be using HTTPs, Development can be HTTP but setup the HTTPS connection anyway, so Production and Developement environments are the same.
  • Secure Database Connection - For the traefik configuration above, make sure that frontend is not set as a network option against the Postgresql container.
  • Regularly Update - Keep all dependencies (Authentik, Docker, etc) up to date. This helps deal with any Security vulnerabilities that may appear or be discovered.

Email Configuration (Optional)

Email configuration is option but refer to Authentik’s official documentation on how to setup and configure this, should it be required.

Setup Steps for Authentik

There are a variety of things that need to configured as per the docker compose example configuration below. Making sure that all of these values are populated should ensure that Authentik starts without any issues.

Example files and other useful information for password generation etc are below:

Official Docker Compose Example

An Official docker compose example file can be found here:

https://goauthentik.io/docker-compose.yml

Generate Password and Secret Key

Password generation can be done by a linux utility call pwgen or via openssl as an alternative.

Install pwgen using the following command: sudo apt-get install pwgen

Next generate passwords using the following command pwgen -s 50 1 (Authentik Secret Key) and pwgen -s 50 1 (DB). These commands will only return 1 50 character password to the terminal / shell. Change the 1 at the end of the command to provide more passwords to the terminal / shell.

---
networks:
  frontend:
    external: true
  backend:
    external: true
services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    container_name: authentik-postgres
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=
      - POSTGRES_USER=
      - POSTGRES_DB=
    networks:
      - backend
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
  redis:
    image: docker.io/library/redis:alpine
    container_name: authentik-redis
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
    networks:
      - backend
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
  server:
    image: ghcr.io/goauthentik/server:2024.8.2
    container_name: authentik-server
    restart: unless-stopped
    command: server
    environment:
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=
      - AUTHENTIK_POSTGRESQL__USER=
      - AUTHENTIK_POSTGRESQL__NAME=
      - AUTHENTIK_POSTGRESQL__PASSWORD=
      - AUTHENTIK_SECRET_KEY=
      - AUTHENTIK_BOOTSTRAP_PASSWORD=
      - AUTHENTIK_BOOTSTRAP_TOKEN=
      - AUTHENTIK_BOOTSTRAP_EMAIL=
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    labels:
      - traefik.enable=true
      - traefik.http.routers.authentik.rule=Host(`authentik.<domain>`)
      - traefik.http.routers.authentik.entrypoints=https
      - traefik.http.routers.authentik.tls=true
      - traefik.http.routers.authentik.tls.certresolver=myresolver
      - traefik.http.routers.authentik.service=authentik
      - traefik.http.services.authentik.loadBalancer.server.port=9000
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
    depends_on:
      - postgresql
      - redis
    networks:
      - backend
      - frontend
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
  worker:
    image: ghcr.io/goauthentik/server:2024.2.2
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    environment:
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=
      - AUTHENTIK_POSTGRESQL__USER=
      - AUTHENTIK_POSTGRESQL__NAME=
      - AUTHENTIK_POSTGRESQL__PASSWORD=
      - AUTHENTIK_SECRET_KEY=
      - AUTHENTIK_BOOTSTRAP_PASSWORD=
      - AUTHENTIK_BOOTSTRAP_TOKEN=
      - AUTHENTIK_BOOTSTRAP_EMAIL=
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    depends_on:
      - postgresql
      - redis
    networks:
      - backend
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
volumes:
  database:
    driver: local
  redis:
    driver: local

Startup and Final Steps

Now the docker compose file above has had the relevant configuration options set such as DB passwords, Authentik Username and Passwords etc Authentik can now be started.

Start Authentik

Start Authentik by running the following command from within the folder / location where the docker compose file for Authentik has been stored.

docker compose up -d

Post-Installation Steps

After deploying Authentik, considering some additional steps to enhance the setup

  • Configure Applications - Applications can be configured using Authentik’s Terraform Provider.
    • There are additional steps to use Authentik’s Terraform Provider. The main one being the token
  • Setup MFA - Setup MFA on any User account created to add additional layer of security, when logging into applications via Authentik.
  • Set Up Polices - Define authentication polices for different applications and user groups.
  • User Management - Start adding users, either manually or through integrations with external directories.
  • Audit & Logging - Review Authentik’s audit log regularly to monitor access and identify potential security incidents.

By following the above steps, Authentik will be up and running, ready to manage authentication and authorisation for any applications that Authentik itself supports securely.

Key Components Of Docker Compose Configuration Above

Note: this configuration uses Traefik as the reverse proxy and there are a variety of labels used as part of the configuration that may not be applicable when using alternative Reverse Proxy solutions. So the official documentation for the Reverse Proxy of choice will need to be consulted to replicate the same configuration as Traefik.

Postgresql Service

  • Image - Uses Postgresql 12 on Alpine for the database.
  • Healthcheck - Ensures the database is ready before other services start
  • Environment - Configures database credentials.

Redis Service

  • Image - Alpine based Redis image for caching
  • Command - Sets persistent storage snapshots every 60 seconds, adds additional logging information for troubleshooting.
  • Healthcheck - checks for redis availability before other services can start

Server Service

  • Image - Specifies the Authentik server image and tag
  • Ports - Exposes Authentik on specified port
  • Volumes - For media files and custom templates
  • Environment - Connects to Redis and PostgreSQL using credentials that have been set in the docker compose file.
  • Labels - Used by Traefik to provide external access to the service, once the service all its dependancies have been started are "healthy" and Accessible, Public Service Name and what provider to use to check and obtain for an SSL Certificate

Worker Service

  • Image - Uses the same image as the server for background tasks.
  • User - Optionally runs as root to manage Docker integrations
  • Volumes - Similar to the server - for Media, Certificates and templates.

Volumes

  • Persistent Storage - Defined for PostgreSQL (Database) and Redis(redis)