cd /home/myusername/docker
mkdir authentik && cd "$_"
mkdir themes && touch ./themes/mytheme.css
sudo apt-get install -y pwgen
echo "PG_PASS=$(pwgen -s 40 1)" >> .env && echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env && echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env && echo "COMPOSE_PORT_HTTP=9160" >> .env && echo "COMPOSE_PORT_HTTPS=9161" >> .env
services:
db:
image: docker.io/library/postgres:12-alpine
container_name: authentik_postgresql
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- ./db:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
env_file:
- .env
redis:
image: docker.io/library/redis:alpine
container_name: authentik_redis
restart: unless-stopped
command: --save 60 1 --loglevel warning
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- ./redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-latest}
container_name: authentik
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ./media:/media
- ./custom-templates:/templates
- ./themes/mytheme.css:/web/dist/custom.css
env_file:
- .env
ports:
- ${COMPOSE_PORT_HTTP:-9000}:9000
- ${COMPOSE_PORT_HTTPS:-9443}:9443
labels:
traefik.enable: true
traefik.http.routers.authentik.entryPoints: https
traefik.http.routers.authentik.rule: Host(`portal.DOMAIN.COM`) || HostRegexp(`{subdomain:[a-z0-9]+}.DOMAIN.COM`) && PathPrefix(`/outpost.goauthentik.io/`)
depends_on:
- db
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-latest}
container_name: authentik_worker
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
env_file:
- .env
depends_on:
- db
- redis
docker compose up -d
Create admin account at: https://<SERVER-IP-HERE/if/flow/initial-setup/
Go to: Admin interface > Applications > Providers
Click on: Create
Select: Proxy Provider then click Next
Insert the following settings
Name: APPNAMEHERE - Forward Auth
Authentication flow: welcome-back (Login page)
Authorization flow: default-provider-authorization-explicit-consent (Authorize Application)
Forward auth (single application)
External host: https://APPNAMEHERE.DOMAIN.COM
Token validity: hours=24
Unauthenticated Paths:
^/api/.*
^/api2/.*
^/identity/.*
^/triggers/.*
^/meshagents.*
^/meshsettings.*
^/agent.*
^/control.*
^/meshrelay.*
^/ui.*
Go to: Admin interface > Applications > Applications
Click on: Create
Insert the following settings
Name: APPNAMEHERE
Slug: APPNAMEHERE
Provider: APPNAMEHERE - Forward Auth
Policy engine mode: any
Choose a app icon in: UI settings > Icon
Go to: Admin interface > Applications > Outposts
Click on: Edit
Insert the following settings
Name: authentik Embedded Outpost
Type: Proxy
Integration: Local Docker connection
Application: APPNAMEHERE (APPNAMEHERE - Forward Auth)
Configuration:
log_level: info
docker_labels: null
authentik_host: https://portal.DOMAIN.COM
docker_network: null
container_image: null
docker_map_ports: true
kubernetes_replicas: 1
kubernetes_namespace: default
authentik_host_browser: ""
object_naming_template: ak-outpost-%(name)s
authentik_host_insecure: false
kubernetes_service_type: ClusterIP
kubernetes_image_pull_secrets: []
kubernetes_ingress_class_name: null
kubernetes_disabled_components:
- deployment
- secret
kubernetes_ingress_annotations: {}
kubernetes_ingress_secret_name: authentik-outpost-tls
Go to: Admin interface > System > Brands > Edit > Other global settings > Attributes
settings:
theme:
base: dark # dark/light/automatic
background: >
margin: 0;
padding: 0;
background-image: url("https://wallpaperaccess.com/full/8351153.gif");
background-size: cover;
background-position: center;
background-repeat: no-repeat;
background-attachment: fixed;
background-blend-mode: multiply;
background-color: #454545;
enabledFeatures:
settings: true
apiDrawer: true
applicationEdit: true
notificationDrawer: true
Go to: Admin interface > Directory > Users > (select user) > Edit > Attributes
settings:
theme:
base: dark # dark/light/automatic
background: >
margin: 0;
padding: 0;
background-image: url("https://wallpaperaccess.com/full/8351153.gif");
background-size: cover;
background-position: center;
background-repeat: no-repeat;
background-attachment: fixed;
background-blend-mode: multiply;
background-color: #454545;
enabledFeatures:
settings: true
apiDrawer: true
applicationEdit: true
notificationDrawer: true
Upload the file to:
cd /home/myusername/docker/authentik/themes/mytheme.css
/* LOGIN WINDOW */
.pf-c-login__main {
overflow: auto;
position: relative;
border-radius: 12px;
background-color: rgba(28, 30, 33, 0.8);
border: 1px solid rgba(100,100,100, 0.5);
border-left: 1px solid rgba(30,30,30, 0.5);
border-right: 1px solid rgba(30,30,30, 0.5);
border-bottom-color: rgba(200,200,200, 0.5);
backdrop-filter: blur(10px);
box-shadow:
0px 24px 38px 3px rgba(0, 0, 0, 0.75),
inset 0px 24px 48px 0 rgba(0, 0, 0, 0.5),
inset 0 1px 0px 0 rgba(0, 0, 0, 0.5),
0 1px 0px 0 rgba(0, 0, 0, 0.8),
inset 0 -1px 0 0 rgba(255,255,255,0.1),
0px -1px 0px 0 rgba(255,255,255,0.5);
}
.pf-c-login__main::before {
content: "";
position: absolute;
top: 0;
left: 0;
right: 0;
bottom: 0;
height: 400px;
background: radial-gradient(
circle at 50% 0%,
rgba(32, 63, 109, 1) 5%,
rgba(28, 30, 33, 0) 50%
);
pointer-events: none;
z-index: -1;
max-height: 100%;
}
/* optinal image at the bottom */
/* .pf-c-login__main::after {
content: "";
display: block;
position: relative;
margin-top: -60px;
width: 100%;
height: 150px;
background-image: url("");
background-size: contain;
background-position: center;
background-repeat: no-repeat;
} */
.pf-c-login__main-body * input {
--leftright-shadow: inset 1px 0 0 0 rgba(0,0,0,0.5), inset -1px 0 0 0 rgba(0,0,0,0.5);
/* background-color: rgba(100,100,100, 0.5); */
/*background: linear-gradient(to bottom,
rgba(60,60,60, 0.5),
rgba(100,100,100, 0.5)
); */
border: none;
/* border-width: 1px !important;
border-top-color: rgba(0,0,0, 0.5);
border-bottom-color: rgba(200,200,200, 0.5); */
background-color: rgba(0, 0, 0, 0.5);
border-radius: 5px;
color: white;
box-shadow:
0 -1px 0 0 rgba(255,255,255,0.5),
0 1px 0 0 rgba(0,0,0,0.5),
inset 0 -1px 0 0 rgba(255,255,255,0.3),
inset 0 1px 0 0 rgba(0,0,0,0.3),
var(--leftright-shadow),
0 0 1px 1px rgba(0, 0, 0, 0.3);
;
outline: 0px solid transparent;
outline-offset: -1px;
transition: box-shadow 0.1s linear, outline 0.1s linear;
padding: 8px !important;
}
.pf-c-login__main-body * input:hover {
box-shadow:
0 -1px 0 0 rgba(255,255,255,0.1),
0 1px 0 0 rgba(0,0,0,0.5),
inset 0 -1px 0 0 rgba(255,255,255,0.3),
inset 0 1px 0 0 rgba(0,0,0,0.3),
var(--leftright-shadow),
0 0 8px 2px rgba(0,0,0,0.3);
}
.pf-c-login__main-body * input:focus {
outline: 2px solid rgba(255,255,255,0.5);
box-shadow:
0 -1px 0 0 rgba(255,255,255,0.1),
0 1px 0 0 rgba(0,0,0,0.5),
inset 0 -1px 0 0 rgba(255,255,255,0.3),
inset 0 1px 0 0 rgba(0,0,0,0.3),
var(--leftright-shadow),
0 0 4px 4px rgba(200,200,200,0.5);
}
.pf-c-login__footer {
padding: 0px;
}
.pf-c-login__footer ul.pf-c-list.pf-m-inline {
padding: 0px;
border-radius: 12px;
background-color: rgba(28, 30, 33, 0.8);
border: 1px solid rgba(100,100,100, 0.5);
border-left: 1px solid rgba(30,30,30, 0.5);
border-right: 1px solid rgba(30,30,30, 0.5);
border-bottom-color: rgba(200,200,200, 0.5);
backdrop-filter: blur(10px);
box-shadow:
inset 0px 24px 48px 0 rgba(0, 0, 0, 0.5),
inset 0 1px 0px 0 rgba(0, 0, 0, 0.5),
0 1px 0px 0 rgba(0, 0, 0, 0.8),
inset 0 -1px 0 0 rgba(255,255,255,0.1),
0px -1px 0px 0 rgba(255,255,255,0.5);
}
/* some other css */
Got to Admin interface --> Flows & Stages --> Stages
Select default-authentication-mfa-validation then click on Edit
Select TOTP Authenticators then scroll down and select default-authenticator-totp-setup (TOTP Authenticator Setup Stage)
For Not configured action, select: Force the user to configure an authenticator
Click on Update
Go to Admin interface --> Directory --> Groups
Click on Create
Name: authentik Users
Attributes:
settings:
enabledFeatures:
settings: true
apiDrawer: false
applicationEdit: false
notificationDrawer: true
Then click Create
Got to Admin interface --> Applications --> Applications
Click on a application and select the tab Policy / Group / User Bindings
Click on Create Binding
Select the tab Group and select your new group (authentik Users) then click Create
Go to Admin interface --> Directory --> Groups
Click on the group (authentik Users)
Select the tab Users and then click on Add existing user