Home Discord YouTube Disclaimer

Docker Compose Install

You must confirm all subdomains and domains are correct. i.e. the auth.domain.com is the FQDN for your Authentik UI.

.env File

If this is a fresh authentik install run the following commands to generate a password (in the directory of your compose file):

# You can also use openssl instead: `openssl rand -base64 36`
sudo apt-get install -y pwgen
# Because of a PostgreSQL limitation, only passwords up to 99 chars are supported
# See https://www.postgresql.org/message-id/09512C4F-8CB9-4021-B455-EF4C4F0D55A0@amazon.com
echo "PG_PASS=$(pwgen -s 40 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
# Skip if you don't want to enable error reporting
echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env

This will create the .env file and fill it with some passwords. In addition, you can add many other variables to the .env file. See here: https://goauthentik.io/docs/installation/docker-compose

By default, authentik listens on port 9000 for HTTP and 9443 for HTTPS. To change this, you can set the following variables in .env:

AUTHENTIK_PORT_HTTP=9000
AUTHENTIK_PORT_HTTPS=9443

After running the commands at the top of this page, additional lines will be added to your ENV for secret keys and passwords

Docker Compose File

Below is our tweaked version of the official Docker Compose template provided by Authentik. We made several changes including giving a standardized name to all containers.

If you wish to use the default, you can find it here: https://goauthentik.io/docs/installation/docker-compose

Warning - using a compose file that is outside of our guide means we are unable to guarantee a successful deployment for you. 

---
version: '3.4'

services:
  postgresql:
    image: postgres:12-alpine
    restart: unless-stopped
    container_name: authentik-postgres
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=${PG_PASS}
      - POSTGRES_USER=${PG_USER:-authentik}
      - POSTGRES_DB=${PG_DB:-authentik}
    env_file:
      - .env
    networks:
      - proxy
  redis:
    image: redis:alpine
    restart: unless-stopped
    container_name: authentik-redis
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    networks:
      - proxy
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.2}
    restart: unless-stopped
    container_name: authentik-server
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
    ports:
      - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
      - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.authentik.entryPoints: https
      traefik.http.routers.authentik.rule: Host(`auth.domain.com`) || HostRegexp(`{subdomain:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?}.domain.com`) && PathPrefix(`/outpost.goauthentik.io/`)
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.2}
    restart: unless-stopped
    container_name: authentik-worker
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    user: root
    volumes:
      - ./media:/media
      - ./certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
      - ./custom-templates:/templates
      - geoip:/geoip
    env_file:
      - .env
    networks:
      - proxy
  geoipupdate:
    image: "maxmindinc/geoipupdate:latest"
    container_name: authentik-geoip
    volumes:
      - "geoip:/usr/share/GeoIP"
    environment:
      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
      GEOIPUPDATE_FREQUENCY: "8"
    env_file:
      - .env
    networks:
      - proxy

volumes:
  database:
    driver: local
  geoip:
    driver: local

networks:
  proxy:
    driver: bridge
    external: true

Remember, once the system is up and running you need to access a specific link to set up the default 'akadmin' account.

To start the initial setup, navigate to https://<your server>/if/flow/initial-setup/. There you will be prompted to set a password for the akadmin user.

PreviousDocker ComposeNextTraefik Forward Auth - Single Applications

Last updated