From 97a6e683fc66bff59d0238f44717b15c89214d12 Mon Sep 17 00:00:00 2001
From: Kevin Heyer <kevin@heyer.systems>
Date: Fri, 28 Mar 2025 20:15:40 +0000
Subject: [PATCH] Add Authentik container

---
 authentik/.env-example       |  23 +++++++
 authentik/README.md          |   0
 authentik/docker-compose.yml | 113 +++++++++++++++++++++++++++++++++++
 3 files changed, 136 insertions(+)
 create mode 100644 authentik/.env-example
 create mode 100644 authentik/README.md
 create mode 100644 authentik/docker-compose.yml

diff --git a/authentik/.env-example b/authentik/.env-example
new file mode 100644
index 0000000..72dd9f4
--- /dev/null
+++ b/authentik/.env-example
@@ -0,0 +1,23 @@
+# PostgreSQL
+AUTHENTIK_POSTGRESQL_VERSION=16
+AUTHENTIK_POSTGRES_PASSWORD= # generate with openssl rand -base64 32
+AUTHENTIK_POSTGRES_USER=authentik
+AUTHENTIK_POSTGRES_DATABASE=authentik
+
+# Redis
+AUTHENTIK_REDIS_VERSION=alpine
+
+# Authentik
+AUTHENTIK_VERSION=2024.12.3
+AUTHENTIK_SECRET_KEY=# generate with openssl rand -base64 50
+AUTHENTIK_DOMAIN=authentik.example.com
+
+# Email-Konfiguration
+AUTHENTIK_EMAIL__HOST=your.mailhost.com
+AUTHENTIK_EMAIL__PORT=465
+AUTHENTIK_EMAIL__USERNAME=mail@example.com
+AUTHENTIK_EMAIL__PASSWORD=
+AUTHENTIK_EMAIL__USE_TLS=false
+AUTHENTIK_EMAIL__USE_SSL=true
+AUTHENTIK_EMAIL__TIMEOUT=10
+AUTHENTIK_EMAIL__FROM=mail@example.com
\ No newline at end of file
diff --git a/authentik/README.md b/authentik/README.md
new file mode 100644
index 0000000..e69de29
diff --git a/authentik/docker-compose.yml b/authentik/docker-compose.yml
new file mode 100644
index 0000000..3ec928f
--- /dev/null
+++ b/authentik/docker-compose.yml
@@ -0,0 +1,113 @@
+---
+services:
+  postgresql:
+    image: docker.io/library/postgres:${AUTHENTIK_POSTGRESQL_VERSION:-16}
+    container_name: authentik-db
+    restart: unless-stopped
+    env_file:
+      - .env
+    networks:
+      - authentik
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:?database password required}
+      POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
+      POSTGRES_DB: ${AUTHENTIK_POSTGRES_DATABASE:-authentik}
+
+  redis:
+    image: docker.io/library/redis:${AUTHENTIK_REDIS_VERSION:-alpine}
+    container_name: authentik-redis
+    restart: unless-stopped
+    command: --save 60 1 --loglevel warning
+    volumes:
+      - redis:/data
+    networks:
+      - authentik
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+
+  server:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION:-2024.12.3}
+    container_name: authentik-server
+    restart: unless-stopped
+    command: server
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+    networks:
+      - traefik
+      - authentik
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRES_DATABASE:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:?database password required}
+    env_file:
+      - .env
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.http.routers.authentik.entrypoints=http"
+      - "traefik.http.routers.authentik.rule=Host(`${AUTHENTIK_DOMAIN:?error}`)"
+      - "traefik.http.middlewares.authentik-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.authentik.middlewares=authentik-https-redirect"
+      - "traefik.http.routers.authentik-secure.entrypoints=https"
+      - "traefik.http.routers.authentik-secure.rule=Host(`${AUTHENTIK_DOMAIN:?error}`)"
+      - "traefik.http.routers.authentik-secure.tls=true"
+      - "traefik.http.routers.authentik-secure.service=authentik"
+      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+
+  worker:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION:-2024.12.3}
+    container_name: authentik-worker
+    restart: unless-stopped
+    command: worker
+    networks:
+      - authentik
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRES_DATABASE:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:?database password required}
+    env_file:
+      - .env
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+
+volumes:
+  database:
+    driver: local
+  redis:
+    driver: local
+
+networks:
+  traefik:
+    external: true
+  authentik:
+    driver: bridge