Replace Pocket ID with Authentik
This commit is contained in:
parent
1c34e0cb07
commit
894ccff668
SSH key fingerprint:
SHA256:6xs0MnltwjyYI//UN9PNFDQbA2aYZV8dB8IrNcZ41Qs
8 changed files with 154 additions and 55 deletions
10
README.md
10
README.md
|
|
@ -5,14 +5,14 @@ The configs, tweaks, and pieces that make up the `id.starcat.systems` accounts s
|
|||
[)](https://git.starcat.systems/starcat-infra/auth-server/src/branch/main)
|
||||
|
||||
## Contents
|
||||
- `pockey-id`:
|
||||
- `docker-compose.yml`: the Docker Compose file that runs Pocket ID
|
||||
- `.env`: environment variables to configure Pocket ID
|
||||
- `authentik`:
|
||||
- `docker-compose.yml`: the Docker Compose file that runs Authentik
|
||||
- `.env`: environment variables to configure Authentik
|
||||
- `caddy`:
|
||||
- `Caddyfile`: the Caddy server configuration (reverse proxies Pocket ID)
|
||||
- `Caddyfile`: the Caddy server configuration (reverse proxies Authentik)
|
||||
|
||||
## More Information
|
||||
For more information on this repo, please see [Pocket ID in the handbook](https://about.starcat.systems/handbook/infrastructure/security/pocket-id/).
|
||||
For more information on this repo, please see [Authentik in the handbook](https://about.starcat.systems/handbook/infrastructure/security/authentik/).
|
||||
|
||||
## Repo Mirrors
|
||||
Repo contents are automatically pushed to the following mirrors:
|
||||
|
|
|
|||
22
authentik/.env
Normal file
22
authentik/.env
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
# Authentik .env app configuration
|
||||
# Configures the Authentik application
|
||||
# File location: /srv/authentik/.env
|
||||
# More information - git repo: https://git.starcat.systems/starcat-infra/auth-server
|
||||
# More information - handbook: https://about.starcat.systems/handbook/infrastructure/security/authentik/
|
||||
# See the documentation for more information: https://docs.goauthentik.io/docs/install-config/configuration/
|
||||
PG_PASS=*REDACTED*
|
||||
AUTHENTIK_SECRET_KEY=*REDACTED*
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED=true
|
||||
# SMTP Host Emails are sent to
|
||||
AUTHENTIK_EMAIL__HOST=*REDACTED*
|
||||
AUTHENTIK_EMAIL__PORT=465
|
||||
# Optionally authenticate (don't add quotation marks to your password)
|
||||
AUTHENTIK_EMAIL__USERNAME=accounts-noreply@starcat.systems
|
||||
AUTHENTIK_EMAIL__PASSWORD=*REDACTED*
|
||||
# Use StartTLS
|
||||
AUTHENTIK_EMAIL__USE_TLS=false
|
||||
# Use SSL
|
||||
AUTHENTIK_EMAIL__USE_SSL=true
|
||||
AUTHENTIK_EMAIL__TIMEOUT=10
|
||||
# Email address authentik will send from, should have a correct @domain
|
||||
AUTHENTIK_EMAIL__FROM=accounts-noreply@starcat.systems
|
||||
29
authentik/README.md
Normal file
29
authentik/README.md
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
# Authentik README
|
||||
## what
|
||||
The Docker Compose and `.env` files that run Authentik
|
||||
|
||||
## where
|
||||
```
|
||||
/srv/authentik/docker-compose.yml
|
||||
/srv/authentik/.env
|
||||
```
|
||||
|
||||
## redacted values
|
||||
For security, secrets have been redacted from these files. StarCat team members can find these values in [1Password](https://start.1password.com/open/i?a=B5NVCNGFJBCCLCDCN5FKFPGVBI&v=35hhast2kp5lgw3iud374426oa&i=wulgiodikbbu4x5rxvco4zren4&h=starcatsys.1password.com). Soon, these values will be autofilled from Vault when the container starts.
|
||||
|
||||
## making changes
|
||||
If you make changes to `.env`, just pull the latest image and restart the service:
|
||||
|
||||
```
|
||||
docker compose pull
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
## upgrading
|
||||
To upgrade Authentik, download the latest `docker-compose.yml` file, (optionally) put our comments at the top of the file, pull the latest images, and restart the service:
|
||||
|
||||
```
|
||||
wget -O docker-compose.yml https://goauthentik.io/docker-compose.yml
|
||||
docker compose pull
|
||||
docker compose up -d
|
||||
```
|
||||
98
authentik/docker-compose.yml
Normal file
98
authentik/docker-compose.yml
Normal file
|
|
@ -0,0 +1,98 @@
|
|||
# Docker Compose file for Authentik
|
||||
# Location: /srv/authentik/docker-compose.yml
|
||||
# IMPORTANT: When Authentik upgrades versions, the docker-compose.yml file changes. This file on Git may not be up to date. See the following for details:
|
||||
# https://git.starcat.systems/starcat-infra/auth-server/src/branch/main/authentik/README.md
|
||||
# https://docs.goauthentik.io/docs/install-config/upgrade
|
||||
|
||||
---
|
||||
|
||||
services:
|
||||
postgresql:
|
||||
image: docker.io/library/postgres:16-alpine
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
|
||||
start_period: 20s
|
||||
interval: 30s
|
||||
retries: 5
|
||||
timeout: 5s
|
||||
volumes:
|
||||
- database:/var/lib/postgresql/data
|
||||
environment:
|
||||
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
|
||||
POSTGRES_USER: ${PG_USER:-authentik}
|
||||
POSTGRES_DB: ${PG_DB:-authentik}
|
||||
env_file:
|
||||
- .env
|
||||
redis:
|
||||
image: docker.io/library/redis:alpine
|
||||
command: --save 60 1 --loglevel warning
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
|
||||
start_period: 20s
|
||||
interval: 30s
|
||||
retries: 5
|
||||
timeout: 3s
|
||||
volumes:
|
||||
- redis:/data
|
||||
server:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.3}
|
||||
restart: unless-stopped
|
||||
command: server
|
||||
environment:
|
||||
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
|
||||
AUTHENTIK_REDIS__HOST: redis
|
||||
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
||||
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
|
||||
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
|
||||
volumes:
|
||||
- ./media:/media
|
||||
- ./custom-templates:/templates
|
||||
env_file:
|
||||
- .env
|
||||
ports:
|
||||
- "${COMPOSE_PORT_HTTP:-9000}:9000"
|
||||
- "${COMPOSE_PORT_HTTPS:-9443}:9443"
|
||||
depends_on:
|
||||
postgresql:
|
||||
condition: service_healthy
|
||||
redis:
|
||||
condition: service_healthy
|
||||
worker:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.3}
|
||||
restart: unless-stopped
|
||||
command: worker
|
||||
environment:
|
||||
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
|
||||
AUTHENTIK_REDIS__HOST: redis
|
||||
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
||||
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
|
||||
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
|
||||
# `user: root` and the docker socket volume are optional.
|
||||
# See more for the docker socket integration here:
|
||||
# https://goauthentik.io/docs/outposts/integrations/docker
|
||||
# Removing `user: root` also prevents the worker from fixing the permissions
|
||||
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
|
||||
# (1000:1000 by default)
|
||||
user: root
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- ./media:/media
|
||||
- ./certs:/certs
|
||||
- ./custom-templates:/templates
|
||||
env_file:
|
||||
- .env
|
||||
depends_on:
|
||||
postgresql:
|
||||
condition: service_healthy
|
||||
redis:
|
||||
condition: service_healthy
|
||||
|
||||
volumes:
|
||||
database:
|
||||
driver: local
|
||||
redis:
|
||||
driver: local
|
||||
BIN
pocket-id.png
BIN
pocket-id.png
Binary file not shown.
|
Before Width: | Height: | Size: 4.4 KiB |
|
|
@ -1,11 +0,0 @@
|
|||
# Pocket ID .env app configuration
|
||||
# Configures the Pocket ID application
|
||||
# File location: /srv/pocket-id/.env
|
||||
# More information - git repo: https://git.starcat.systems/starcat-infra/auth-server
|
||||
# More information - handbook: https://about.starcat.systems/handbook/infrastructure/security/pocket-id/
|
||||
# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
|
||||
APP_URL=https://id.starcat.systems
|
||||
TRUST_PROXY=true
|
||||
MAXMIND_LICENSE_KEY=*REDACTED*
|
||||
PUID=1000
|
||||
PGID=1000
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
# Pocket ID README
|
||||
## what
|
||||
The Docker Compose and `.env` files that run Pocket ID
|
||||
|
||||
## where
|
||||
```
|
||||
/srv/pocket-id/docker-compose.yml
|
||||
/srv/pocket-id/.env
|
||||
```
|
||||
|
||||
## redacted values
|
||||
For security, secrets have been redacted from this file. StarCat team members can find these values in [1Password](https://start.1password.com/open/i?a=B5NVCNGFJBCCLCDCN5FKFPGVBI&v=35hhast2kp5lgw3iud374426oa&i=ahsb5ohjmkyvfuoudj564xucgy&h=starcatsys.1password.com). Soon, these values will be autofilled from Vault when the container starts.
|
||||
|
||||
## making changes
|
||||
If you make changes to `.env` or need to upgrade Pocket ID, just pull the latest image and restart the service:
|
||||
|
||||
```
|
||||
docker compose pull
|
||||
docker compose up -d
|
||||
```
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
# Docker Compose file for PocketID
|
||||
# Location: /srv/pocket-id/docker-compose.yml
|
||||
|
||||
services:
|
||||
pocket-id:
|
||||
image: ghcr.io/pocket-id/pocket-id:v1
|
||||
restart: unless-stopped
|
||||
env_file: .env
|
||||
ports:
|
||||
- 1411:1411
|
||||
volumes:
|
||||
- "./data:/app/data"
|
||||
# Optional healthcheck
|
||||
healthcheck:
|
||||
test: "curl -f http://localhost:1411/healthz"
|
||||
interval: 1m30s
|
||||
timeout: 5s
|
||||
retries: 2
|
||||
start_period: 10s
|
||||
Loading…
Add table
Add a link
Reference in a new issue