Add Authentik Compose Stack

docker-compose.yml

@@ -0,0 +1,173 @@
+name: authentik
+
+services:
+  server:
+    image: ghcr.io/goauthentik/server:${VERSION:-2024.12.2}
+    container_name: authentik_server
+    depends_on:
+      - db
+      - redis
+    command: server
+    restart: unless-stopped
+    volumes:
+      - /srv/authentik/media:/media
+      - /srv/authentik/custom-templates:/templates
+    #ports:
+    #  - "${COMPOSE_PORT_HTTP:-7000}:9000"
+    #  - "${COMPOSE_PORT_HTTPS:-7443}:9443"
+    networks:
+      - internal
+      - proxy
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: db
+      AUTHENTIK_POSTGRESQL__NAME: file:///run/secrets/db_name
+      AUTHENTIK_POSTGRESQL__USER: file:///run/secrets/db_user
+      AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/db_pass
+      AUTHENTIK_SECRET_KEY: file:///run/secrets/secret
+    secrets:
+      - db_name
+      - db_user
+      - db_pass
+      - secret
+
+  worker:
+    image: ghcr.io/goauthentik/server:${VERSION:-2024.12.2}
+    container_name: authentik_worker
+    depends_on:
+      - db
+      - redis
+    command: worker
+    restart: unless-stopped
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: authentik
+    volumes:
+      #- /var/run/docker.sock:/var/run/docker.sock
+      - /srv/authentik/media:/media
+      - /srv/authentik/certs:/certs
+      - /srv/authentik/custom-templates:/templates
+    networks:
+      - internal
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: db
+      AUTHENTIK_POSTGRESQL__NAME: file:///run/secrets/db_name
+      AUTHENTIK_POSTGRESQL__USER: file:///run/secrets/db_user
+      AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/db_pass
+      AUTHENTIK_SECRET_KEY: file:///run/secrets/secret
+      AUTHENTIK_EMAIL__HOST: file:///run/secrets/mail_server
+      AUTHENTIK_EMAIL__PORT: 587
+      AUTHENTIK_EMAIL__USERNAME: file:///run/secrets/mail_user
+      AUTHENTIK_EMAIL__PASSWORD: file:///run/secrets/mail_pass
+      AUTHENTIK_EMAIL__FROM: file:///run/secrets/mail_from
+      AUTHENTIK_EMAIL__USE_TLS: true
+      AUTHENTIK_EMAIL__USE_SSL: false
+      AUTHENTIK_EMAIL__TIMEOUT: 10
+    secrets:
+      - db_name
+      - db_user
+      - db_pass
+      - secret
+      - mail_user
+      - mail_pass
+      - mail_from
+      - mail_server
+
+  ldap:
+    image: ghcr.io/goauthentik/ldap:${VERSION:-2024.12.2}
+    container_name: authentik_ldap
+    depends_on:
+      - server
+      - worker
+    restart: unless-stopped
+    ports:
+      #- 389:3389
+      - 636:6636
+    networks:
+      - internal
+    environment:
+        AUTHENTIK_HOST: https://server:9443
+        AUTHENTIK_INSECURE: "true"
+        AUTHENTIK_TOKEN: file:///run/secrets/ldap_api_key
+        docker_network: internal
+    secrets:
+      - ldap_api_key
+
+  db:
+    image: docker.io/library/postgres:16-alpine
+    container_name: authentik_db
+    restart: unless-stopped
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`" ]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - db:/var/lib/postgresql/data
+    networks:
+      - internal
+    environment:
+      POSTGRES_DB_FILE: /run/secrets/db_name
+      POSTGRES_USER_FILE: /run/secrets/db_user
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_pass
+    secrets:
+      - db_name
+      - db_user
+      - db_pass
+
+  redis:
+    image: docker.io/library/redis:alpine
+    container_name: authentik_redis
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - redis:/data
+    networks:
+      - internal
+
+volumes:
+  db:
+    driver: local
+    name: authentik_db
+  redis:
+    driver: local
+    name: authentik_redis
+
+networks:
+  internal:
+    name: authentik-internal
+  proxy:
+      name: proxy-authentik
+      external: true
+
+secrets:
+  db_name:
+    file: /srv/docker/secrets/authentik/db/name.txt
+  db_user:
+    file: /srv/docker/secrets/authentik/db/user.txt
+  db_pass:
+    file: /srv/docker/secrets/authentik/db/pass.key
+  secret:
+    file: /srv/docker/secrets/authentik/keys/secret.key
+  ldap_api_key:
+    file: /srv/docker/secrets/authentik/keys/ldap_api.key
+  mail_user:
+    file: /srv/docker/secrets/mail/user.txt
+  mail_from:
+    file: /srv/docker/secrets/mail/mail.txt
+  mail_pass:
+    file: /srv/docker/secrets/mail/pass.txt
+  mail_server:
+    file: /srv/docker/secrets/mail/host.txt