Docker Compose Install
You must confirm all subdomains and domains are correct. i.e. the auth.domain.com is the FQDN for your Authentik UI.
.env File
If this is a fresh authentik install run the following commands to generate a password (in the directory of your compose file):
# You can also use openssl instead: `openssl rand -base64 36`
sudo apt-get install -y pwgen
# Because of a PostgreSQL limitation, only passwords up to 99 chars are supported
# See https://www.postgresql.org/message-id/[email protected]
echo "PG_PASS=$(pwgen -s 40 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
# Skip if you don't want to enable error reporting
echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env
This will create the .env file and fill it with some passwords. In addition, you can add many other variables to the .env file. See here: https://goauthentik.io/docs/installation/docker-compose
By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can set the following variables in .env
:
AUTHENTIK_PORT_HTTP=9000
AUTHENTIK_PORT_HTTPS=9443
Docker Compose File
Below is our tweaked version of the official Docker Compose template provided by Authentik. We made several changes including giving a standardized name to all containers.
If you wish to use the default, you can find it here: https://goauthentik.io/docs/installation/docker-compose
Warning - using a compose file that is outside of our guide means we are unable to guarantee a successful deployment for you.
---
version: '3.4'
services:
postgresql:
image: postgres:12-alpine
restart: unless-stopped
container_name: authentik-postgres
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=${PG_PASS}
- POSTGRES_USER=${PG_USER:-authentik}
- POSTGRES_DB=${PG_DB:-authentik}
env_file:
- .env
networks:
- proxy
redis:
image: redis:alpine
restart: unless-stopped
container_name: authentik-redis
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
networks:
- proxy
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.2}
restart: unless-stopped
container_name: authentik-server
command: server
environment:
AUTHENTIK_REDIS__HOST: authentik-redis
AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ./media:/media
- ./custom-templates:/templates
- geoip:/geoip
env_file:
- .env
ports:
- "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
- "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
networks:
- proxy
labels:
traefik.enable: true
traefik.http.routers.authentik.entryPoints: https
traefik.http.routers.authentik.rule: Host(`auth.domain.com`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.domain.com`) && PathPrefix(`/outpost.goauthentik.io/`)
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.2}
restart: unless-stopped
container_name: authentik-worker
command: worker
environment:
AUTHENTIK_REDIS__HOST: authentik-redis
AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
user: root
volumes:
- ./media:/media
- ./certs:/certs
- /var/run/docker.sock:/var/run/docker.sock
- ./custom-templates:/templates
- geoip:/geoip
env_file:
- .env
networks:
- proxy
geoipupdate:
image: "maxmindinc/geoipupdate:latest"
container_name: authentik-geoip
volumes:
- "geoip:/usr/share/GeoIP"
environment:
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
GEOIPUPDATE_FREQUENCY: "8"
env_file:
- .env
networks:
- proxy
volumes:
database:
driver: local
geoip:
driver: local
networks:
proxy:
driver: bridge
external: true
Remember, once the system is up and running you need to access a specific link to set up the default 'akadmin' account.
To start the initial setup, navigate to https://<your server>/if/flow/initial-setup/
. There you will be prompted to set a password for the akadmin user.
Last updated
Was this helpful?