π‘οΈ Authentik Identity Provider
Production-ready identity and access management solution with SSO, user directories, and multi-factor authentication.
π οΈ Service Configuration
Core Services
| authentik.yml |
|---|
| ---
x-logging: &default-logging
driver: loki
options: &default-logging-options
loki-url: https://loki.${SYNOLOGY_BASIC_URL}/loki/api/v1/push
loki-retries: 5
loki-batch-size: 400
loki-batch-wait: 2s
loki-timeout: 10s
loki-max-backoff: 5s
loki-min-backoff: 1s
loki-tenant-id: default
x-labels: &default-labels
com.centurylinklabs.watchtower.enable: true
recreat.container: true
container.label.group: proxy
x-limits: &resource-limits
mem_limit: "256m"
mem_reservation: "64m"
cpu_shares: "512"
restart: always
networks:
dockerization:
services:
postgresql:
container_name: authentik-postgresql
hostname: authentik-postgresql
image: docker.io/library/postgres:16-alpine
<<: *resource-limits
logging:
<<: *default-logging
options:
<<: *default-logging-options
loki-external-labels: job=authentik-postgresql
healthcheck:
test:
- CMD-SHELL
- pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT:?path required}/authentik/database
target: /var/lib/postgresql/data
- type: bind
source: /etc/localtime
target: /etc/localtime
read_only: true
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required} # (1)!
POSTGRES_USER: ${PG_USER:-authentik} # (2)!
POSTGRES_DB: ${PG_DB:-authentik} # (3)!
UID: ${UID_NAS_ADMIN:-1026} # (4)!
GID: ${GID_NAS_ADMIN:-100} # (5)!
labels:
<<: *default-labels
monitoring: authentik-postgresql
redis:
container_name: authentik-redis
hostname: authentik-redis
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
<<: *resource-limits
logging:
<<: *default-logging
options:
<<: *default-logging-options
loki-external-labels: job=authentik-redis
healthcheck:
test:
- CMD-SHELL
- redis-cli ping | grep PONG
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT}/authentik/redis
target: /data
- type: bind
source: /etc/localtime
target: /etc/localtime
read_only: true
environment:
UID: ${UID_NAS_ADMIN:-1026} # (6)!
GID: ${GID_NAS_ADMIN:-100} # (7)!
labels:
<<: *default-labels
monitoring: authentik-redis
authentik:
container_name: authentik
hostname: authentik
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
command: server
<<: *resource-limits
logging:
<<: *default-logging
options:
<<: *default-logging-options
loki-external-labels: job=authentik
environment:
AUTHENTIK_REDIS__HOST: redis # (8)!
AUTHENTIK_POSTGRESQL__HOST: postgresql # (9)!
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} # (10)!
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} # (11)!
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} # (12)!
AUTHENTIK_BOOTSTRAP_EMAIL: ${EMAIL} # (13)!
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD} # (14)!
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} # (15)!
UID: ${UID_NAS_ADMIN:-1026} # (16)!
GID: ${GID_NAS_ADMIN:-100} # (17)!
volumes:
- type: bind
source: /etc/localtime
target: /etc/localtime
read_only: true
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT}/authentik/media
target: /media
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT}/authentik/templates
target: /templates
ports:
- ${COMPOSE_PORT_HTTP:-9001}:9000
- ${COMPOSE_PORT_HTTPS:-9443}:9443
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
labels:
<<: *default-labels
monitoring: authentik
worker:
container_name: authentik-worker
hostname: authentik-worker
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
command: worker
<<: *resource-limits
logging:
<<: *default-logging
options:
<<: *default-logging-options
loki-external-labels: job=authentik-worker
environment:
AUTHENTIK_REDIS__HOST: redis # (18)!
AUTHENTIK_POSTGRESQL__HOST: postgresql # (19)!
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} # (20)!
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} # (21)!
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} # (22)!
AUTHENTIK_BOOTSTRAP_EMAIL: ${EMAIL} # (23)!
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD} # (24)!
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} # (25)!
UID: ${UID_NAS_ADMIN:-1026} # (26)!
GID: ${GID_NAS_ADMIN:-100} # (27)!
user: root
volumes:
- type: bind
source: /var/run/docker.sock
target: /var/run/docker.sock
read_only: true
- type: bind
source: /etc/localtime
target: /etc/localtime
read_only: true
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT}/authentik/media
target: /media
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT}/authentik/certs
target: /certs
- type: bind
source: ${MOUNT_PATH_DOCKER_ROOT}/authentik/templates
target: /templates
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
labels:
<<: *default-labels
monitoring: authentik
networks:
dockerization:
external: true
|
- β Required database password (must be set in
.env)
- β Database username (default:
authentik)
- β Database name (default:
authentik)
- β Optional user ID for volume permissions (default: 1026)
- β Optional group ID for volume permissions (default: 100)
- β Optional user ID for volume permissions (default: 1026)
- Optional group ID for volume permissions (default: 100)
- β Redis hostname (using Docker service name)
- β PostgreSQL hostname (using Docker service name)
- β PostgreSQL username (matches
POSTGRES_USER)
- β Database name (matches
POSTGRES_DB)
- β Must match
POSTGRES_PASSWORD
- β Initial admin email (must be set in
.env)
- β Initial admin password (must be set in
.env)
- β Encryption key (must be set in
.env)
- β User ID for volume permissions (default: 1026)
- β Group ID for volume permissions (default: 100)
- β Redis hostname (using Docker service name)
- β PostgreSQL hostname (using Docker service name)
- β PostgreSQL username (matches
POSTGRES_USER)
- β Database name (matches
POSTGRES_DB)
- β Must match
POSTGRES_PASSWORD
- β Initial admin email (must be set in
.env)
- β Initial admin password (must be set in
.env)
- β Encryption key (must be set in
.env)
- β User ID for volume permissions (default: 1026)
- β Group ID for volume permissions (default: 100)
π Required Environment Variables
Refer to Environment Variables documentation for:
| Variable |
Description |
Required |
PG_PASS |
PostgreSQL password |
β
|
AUTHENTIK_BOOTSTRAP_PASSWORD |
Initial admin password |
β
|
AUTHENTIK_SECRET_KEY |
Encryption key |
β
|
MOUNT_PATH_DOCKER_ROOT |
Storage path |
β
|
UID_NAS_ADMIN |
User ID for volume permissions |
β οΈ Recommended |
GID_NAS_ADMIN |
Group ID for volume permissions |
β οΈ Recommended |
Security Notice
- Be stored in
.env files
- Have restricted permissions (
chmod 600)
- Never be committed to version control
- Be rotated periodically
π Deployment
- Create
.env file with required variables
- Initialize volumes
mkdir -p ${MOUNT_PATH_DOCKER_ROOT}/authentik/{database,redis,media,certs,templates}
chown -R ${UID_NAS_ADMIN:-1026}:${GID_NAS_ADMIN:-100} ${MOUNT_PATH_DOCKER_ROOT}/authentik
- Start services
docker-compose -f authentik.yml up -d
- Access web UI at
https://yourdomain.com:9443
π Maintenance
-
Backups
- Regularly backup the PostgreSQL volume
-
Updates
docker-compose -f authentik.yml pull
docker-compose -f authentik.yml up -d
- Logs