add authentik - a SSO solution for the organization

authentik/.env

@@ -0,0 +1,19 @@
+AUTHENTIK_PORT_HTTP=9090
+AUTHENTIK_PORT_HTTPS=9443
+PG_PASS=changeme
+AUTHENTIK_SECRET_KEY=changeme
+AUTHENTIK_ERROR_REPORTING__ENABLED=false
+
+# SMTP Host Emails are sent to
+AUTHENTIK_EMAIL__HOST=smtp.office365.com
+AUTHENTIK_EMAIL__PORT=587
+# Optionally authenticate (don't add quotation marks to your password)
+AUTHENTIK_EMAIL__USERNAME=email@yourdomain.com
+AUTHENTIK_EMAIL__PASSWORD=changeme
+# Use StartTLS
+AUTHENTIK_EMAIL__USE_TLS=true
+# Use SSL
+AUTHENTIK_EMAIL__USE_SSL=true
+AUTHENTIK_EMAIL__TIMEOUT=10
+# Email address authentik will send from, should have a correct @domain
+AUTHENTIK_EMAIL__FROM=email@yourdomain.com

authentik/docker-compose.yml

@@ -0,0 +1,107 @@
+version: '3.8'
+
+services:
+  postgresql:
+    image: docker.io/library/postgres:12-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - database:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=${PG_PASS:?database password required}
+      - POSTGRES_USER=${PG_USER:-authentik}
+      - POSTGRES_DB=${PG_DB:-authentik}
+    env_file:
+      - .env
+    networks:
+      - authentik
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - redis:/data
+    networks:
+      - reverseproxy-nw
+      - authentik
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.9.0}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
+    volumes:
+      - ./media:/media
+      - ./custom-templates:/templates
+      - geoip:/geoip
+    env_file:
+      - .env
+    ports:
+      - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
+      - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
+    networks:
+      - reverseproxy-nw
+      - authentik
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.9.0}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
+    # This is optional, and can be removed. If you remove this, the following will happen
+    # - The permissions for the /media folders aren't fixed, so make sure they are 1000:1000
+    # - The docker socket can't be accessed anymore
+    user: root
+    volumes:
+      - ./media:/media
+      - ./certs:/certs
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./custom-templates:/templates
+        # - geoip:/geoip
+    env_file:
+      - .env
+    networks:
+      - authentik
+        # geoipupdate:
+        #   image: "maxmindinc/geoipupdate:latest"
+        #   volumes:
+        #     - "geoip:/usr/share/GeoIP"
+        #   environment:
+        #     GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
+        #     GEOIPUPDATE_FREQUENCY: "8"
+        #   env_file:
+        #     - .env
+
+volumes:
+  database:
+    driver: local
+  redis:
+    driver: local
+  geoip:
+    driver: local
+
+networks:
+    reverseproxy-nw:
+        external: true
+    authentik: