Diese Version wurde durch eine neuere bestätigte Version ersetzt.DiffDiese Version (2025/03/29 19:27) wurde bestätigt durch Daniel.Die zuvor bestätigte Version (2025/03/29 18:48) ist verfügbar.Diff

Dies ist eine alte Version des Dokuments!

Docker: Authentik

Authentik is a middleware expanding the basic authentication- features of FreeIPA by many additional, modern ways of authentication which is used by modern Software. It will make SSO possible (Single-Sign-On: only logging into your pc will be enough to open all apps) by using the Kerberos-Credentials to login to authentik and than to authenticate the third-aprty app like Nextcloud without any user or Password.

TODO

Dockerfile

Usually, i link the env-File to some central File. This time, as there are Passwords included, i will setup an own file. File .env: 

#Common Docker-Parameters
COMPOSE_PROJECT_NAME=servername
COMPOSE_HTTP_TIMEOUT=180

#Authentik: https://goauthentik.io/docs/installation/docker-compose
AUTHENTIK_TAG=latest
#use maybe: openssl rand -base64 60 | tr -d '\n'
AUTHENTIK_SECRET_KEY=SEEDOCS
AUTHENTIK_ERROR_REPORTING__ENABLED=true
#
#Postgres-DB Authentik
AUTHENTIK_POSTGRESQL__HOST=servername-authentik_pgsql-1
AUTHENTIK_POSTGRESQL__USER=authentik
AUTHENTIK_POSTGRESQL__NAME=authentik
AUTHENTIK_POSTGRESQL__PASSWORD=YOURPGPASS
#
#Redis - we are using nextcloud here
AUTHENTIK_REDIS__HOST=nextcloud-aio-redis
AUTHENTIK_REDIS__PASSWORD=SeeInNextcloudSettings_nextcloud_data_config/config.php
#
## SMTP Host Emails are sent to
#AUTHENTIK_EMAIL__HOST=mailserver.smtp.de
#AUTHENTIK_EMAIL__PORT=465
## Optionally authenticate (don't add quotation marks to your password)
#AUTHENTIK_EMAIL__USERNAME=mailuser@host.de
#AUTHENTIK_EMAIL__PASSWORD=MAILPWD
## Use StartTLS
#AUTHENTIK_EMAIL__USE_TLS=false
## Use SSL
#AUTHENTIK_EMAIL__USE_SSL=true
#AUTHENTIK_EMAIL__TIMEOUT=10
## Email address authentik will send from, should have a correct @domain
#AUTHENTIK_EMAIL__FROM=mailuser@host.de

The File docker-compose.yml contains: 

# Source: https://docs.goauthentik.io/docs/releases/2024.10
# wget -O docker-compose.yml https://goauthentik.io/version/2024.10/docker-compose.yml

services:
  authentik_pgsql:
    image: docker.io/library/postgres:16-alpine
    restart: always
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - authentik_pgsql_data:/var/lib/postgresql/data
#Defined in .env
#    environment:
#      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
#      POSTGRES_USER: ${PG_USER:-authentik}
#      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env

# Using nextcloud-aio-redis
#  redis:
#    image: docker.io/library/redis:alpine
#    command: --save 60 1 --loglevel warning
#    restart: unless-stopped
#    healthcheck:
#      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
#      start_period: 20s
#      interval: 30s
#      retries: 5
#      timeout: 3s
#    volumes:
#      - redis:/data

# Authentik Server
  authentik_server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
    restart: always
    command: server
# When Upgrading: Check for new Parameters and add to env, not here
# Possible Parameters: https://docs.goauthentik.io/docs/install-config/configuration/
    environment:
#      AUTHENTIK_REDIS__HOST: nextcloud-aio-redis # see .env for password
#      AUTHENTIK_POSTGRESQL__HOST: nextcloud-aio-database
#      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER:-authentik}
#      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB:-authentik}
#      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
      KRB5_TRACE: /dev/stderr
    volumes:
      - authentik_media:/media
      - authentik_custom_templates:/templates
    env_file:
      - .env
# Caddy virtualised
#    ports:
#      - "${COMPOSE_PORT_HTTP:-9000}:9000"
#      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
   networks:
     - nextcloud-aio
     - default

# Authentik Worker
  authentik_worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
    restart: always
    command: worker
#Se above
#    environment:
#      AUTHENTIK_REDIS__HOST: nextcloud-aio-redis
#      AUTHENTIK_POSTGRESQL__HOST: nextcloud-aio-database
#      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER:-authentik}
#      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB:-authentik}
#      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
# No Docker integration / LDAP- Outpost not needed (will be freeipa)
#      - /var/run/docker.sock:/var/run/docker.sock
      - authentik_media:/media
      - authentik_certs:/certs
      - authentik_custom_templates:/templates
    depends_on:
      - authentik_server
    env_file:
      - .env
   networks:
     - nextcloud-aio
     - default

volumes:
  authentik_pgsql_data:
  authentik_media:
  authentik_custom_templates:
  authentik_certs:
# redis:

networks:
 nextcloud-aio:
   external: true

Carefully look at each line to fit your needs.

Caddy

in docker Caddy- Service enhance the lines: 

# Authentik
https://authentik.domain.tld:443 {
       header Strict-Transport-Security max-age=31536000;
       reverse_proxy servername-authentik_server-1:9000
}

First start

After doing docker compose up -d and restarting Caddy you should be able to Navigate to

https://authentik.domain.tld/if/flow/initial-setup/

and set the Password for the admin user akadmin.

Additional Doings

Don't forget to extend your backup/docker_backup_all.sh by adding authentik to the service- list if you have not done so far.

Configuring

Now that Authentik is working, we are glueing all services together.

Sync of FreeIPA/LDAP

Don't use Kerberos-Sync, because the kadmin-interface of FreeIPA is blocked to not have someone messing around with kerberos without FreeIPA not beeing informed. So use LDAP- Sync for the Users.

To Sync FreeIPA with Authentik, follow this Guide: https://docs.goauthentik.io/docs/users-sources/sources/directory-sync/freeipa/

Attaching SPNEGO

With SPNEGO, you gain access to SSO in Authentik.

Here is the lonk to the Docs: https://docs.goauthentik.io/docs/users-sources/sources/protocols/kerberos/

You need to logon to FreeIPA as Admin and do the following:

  • Go to Hosts, add Host authentik.domain.tld
  • Go to Services, Add an new HTTP- Service for that Host

After that, you need to Console into the running FreeIPA-Container and use the commands there: 

# Logon as Admin
kinit admin
# Create and read the Keytab for that service
ipa-getkeytab -s ipa.domain.tld -p HTTP/authentik.domain.tld -k /tmp/authentik.keytab
cat /tmp/authentik.keytab | base64
rm /tmp/authentik.keytab

This is the Keytab that you will use for SPNEGO.

Use the Servicename HTTP/authentik.domain.tld as the Servername!

Important: Use „User matching mode“ = „Link to User with identical Username. …“ - otherwise Kerberos may fail!

Than activate Kerberos in Flows and Stages > Stages > default-authentication-identification > Source settings

Diese Website verwendet Cookies. Durch die Nutzung der Website stimmen Sie dem Speichern von Cookies auf Ihrem Computer zu. Außerdem bestätigen Sie, dass Sie unsere Datenschutzbestimmungen gelesen und verstanden haben. Wenn Sie nicht einverstanden sind, verlassen Sie die Website.Weitere Information
  • content/serverbasics/docker-authentik.1743275996.txt.gz
  • Zuletzt geändert: 2025/03/29 19:19
  • von Daniel