Authentik
Install | Docker Compose
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env
To enable error reporting, run the following command:
env example
POSTGRES_USER=authentik
POSTGRES_DB=authentik
POSTGRES_PASSWORD=password
AUTHENTIK_SECRET_KEY=pbrkUZxxxxxxxxxxxxxxxxxxxxxxxx+LjvUg
Compose example for setup with proxy webserver
- docker-compose.yml
services:
postgresql:
image: docker.io/library/postgres:12-alpine
restart: unless-stopped
container_name: authentik_postgres
healthcheck:
test:
- CMD-SHELL
- pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- ./database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_DB: ${POSTGRES_DB}
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
container_name: authentik_redis
restart: unless-stopped
healthcheck:
test:
- CMD-SHELL
- redis-cli ping | grep PONG
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- ./redis:/data
server:
image: ghcr.io/goauthentik/server:2024.10.1
restart: unless-stopped
container_name: authentik_server
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST: <mail.example.com>
AUTHENTIK_EMAIL__PORT: <2525> #usually 587
# Optionally authenticate (don't add quotation marks to your password)
AUTHENTIK_EMAIL__USERNAME: username
AUTHENTIK_EMAIL__PASSWORD: password
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS: "false"
# Use SSL
AUTHENTIK_EMAIL__USE_SSL: "false"
AUTHENTIK_EMAIL__TIMEOUT: 10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM: [email protected]
volumes:
- ./media:/media
- ./custom-templates:/templates
ports:
- 9000:9000
# - "9443:9443"
depends_on:
- postgresql
- redis
worker:
image: ghcr.io/goauthentik/server:2024.10.1
restart: unless-stopped
container_name: authentik_worker
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${POSTGRES_USER}
AUTHENTIK_POSTGRESQL__NAME: ${POSTGRES_DB}
AUTHENTIK_POSTGRESQL__PASSWORD: ${POSTGRES_PASSWORD}
AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST: mail.example.com
AUTHENTIK_EMAIL__PORT: <2525>
# Optionally authenticate (don't add quotation marks to your password)
AUTHENTIK_EMAIL__USERNAME: username
AUTHENTIK_EMAIL__PASSWORD: password
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS: "false"
# Use SSL
AUTHENTIK_EMAIL__USE_SSL: "false"
AUTHENTIK_EMAIL__TIMEOUT: 10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM: [email protected]
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
depends_on:
- postgresql
- redis
networks: {}
To start the initial setup, navigate to http://
There you are prompted to set a password for the akadmin user (the default user).
Integrations
warpgate setup
- warpgate side
Edit warpgate.yaml
external_host: warp.example.com
sso_providers:
- name: authentik
label: Authentik
provider:
type: custom
client_id: hBhsMBEE28UXXXXXXXXXXXXXXXXXXX
client_secret: D3C7gNdXugltUKY4BQ1QxqJsd3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
issuer_url: https://<authentik.example.com>/application/o/<warp-slug>/.well-known/openid-configuration
scopes:
- email
- openid
- authentik side
Provider
Applications > Providers > Create - OAuth2/OpenID Provider
Name: warp (example)
Authorization flow: default-provider-authorization-explicit-consent (Authorize Application)
Client type: Confidential
Copy and save somewhere Client ID and Client Secret.
Redirect URIs/Origins (RegEx): https://
Sign Key: authentik Self-signed Certificate.
Save
Application
Applications > Applications - Create
Name: warp (example)
Slug: warp
Provider: warp (choose what you used in previous step)
Policy engine mode: any