20856f7f18
Added Authentik as the identity provider for SSO authentication:
Why Authentik:
- MIT license (truly open source, most permissive)
- Simple Docker Compose deployment (no manual wizards)
- Lightweight Python-based architecture
- Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS)
- No Redis required as of v2025.10 (all caching in PostgreSQL)
- Active development and strong community
Implementation:
- Created complete Authentik Ansible role
- Docker Compose with server + worker architecture
- PostgreSQL 16 database backend
- Traefik integration with Let's Encrypt SSL
- Bootstrap tasks for initial setup guidance
- Health checks and proper service dependencies
Architecture decisions updated:
- Documented comparison: Authentik vs Zitadel vs Keycloak
- Explained Zitadel removal (FirstInstance bugs)
- Added deployment example and configuration notes
Next steps:
- Update documentation (PROJECT_REFERENCE.md, README.md)
- Create Authentik agent configuration
- Add secrets template
- Test deployment on test server
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
138 lines
4 KiB
Django/Jinja
138 lines
4 KiB
Django/Jinja
services:
|
|
authentik-db:
|
|
image: postgres:16-alpine
|
|
container_name: authentik-db
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_DB: "{{ authentik_db_name }}"
|
|
POSTGRES_USER: "{{ authentik_db_user }}"
|
|
POSTGRES_PASSWORD: "{{ client_secrets.authentik_db_password }}"
|
|
|
|
volumes:
|
|
- authentik-db-data:/var/lib/postgresql/data
|
|
|
|
networks:
|
|
- {{ authentik_network }}
|
|
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -d {{ authentik_db_name }} -U {{ authentik_db_user }}"]
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 20s
|
|
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 512M
|
|
cpus: "0.5"
|
|
|
|
authentik-server:
|
|
image: {{ authentik_image }}:{{ authentik_version }}
|
|
container_name: authentik-server
|
|
restart: unless-stopped
|
|
command: server
|
|
environment:
|
|
# PostgreSQL connection
|
|
AUTHENTIK_POSTGRESQL__HOST: authentik-db
|
|
AUTHENTIK_POSTGRESQL__NAME: "{{ authentik_db_name }}"
|
|
AUTHENTIK_POSTGRESQL__USER: "{{ authentik_db_user }}"
|
|
AUTHENTIK_POSTGRESQL__PASSWORD: "{{ client_secrets.authentik_db_password }}"
|
|
|
|
# Secret key for encryption
|
|
AUTHENTIK_SECRET_KEY: "{{ client_secrets.authentik_secret_key }}"
|
|
|
|
# Error reporting (optional)
|
|
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
|
|
|
|
# Branding
|
|
AUTHENTIK_BRANDING__TITLE: "{{ client_name | title }} SSO"
|
|
|
|
# Email configuration (optional, configure later)
|
|
# AUTHENTIK_EMAIL__HOST: "smtp.example.com"
|
|
# AUTHENTIK_EMAIL__PORT: "587"
|
|
# AUTHENTIK_EMAIL__USERNAME: "user@example.com"
|
|
# AUTHENTIK_EMAIL__PASSWORD: "password"
|
|
# AUTHENTIK_EMAIL__USE_TLS: "true"
|
|
# AUTHENTIK_EMAIL__FROM: "authentik@example.com"
|
|
|
|
volumes:
|
|
- authentik-media:/media
|
|
- authentik-templates:/templates
|
|
|
|
networks:
|
|
- {{ authentik_traefik_network }}
|
|
- {{ authentik_network }}
|
|
|
|
depends_on:
|
|
authentik-db:
|
|
condition: service_healthy
|
|
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.authentik.rule=Host(`{{ authentik_domain }}`)"
|
|
- "traefik.http.routers.authentik.tls=true"
|
|
- "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.authentik.entrypoints=websecure"
|
|
- "traefik.http.services.authentik.loadbalancer.server.port={{ authentik_http_port }}"
|
|
# Security headers
|
|
- "traefik.http.routers.authentik.middlewares=authentik-headers"
|
|
- "traefik.http.middlewares.authentik-headers.headers.stsSeconds=31536000"
|
|
- "traefik.http.middlewares.authentik-headers.headers.stsIncludeSubdomains=true"
|
|
- "traefik.http.middlewares.authentik-headers.headers.stsPreload=true"
|
|
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 1G
|
|
cpus: "1.0"
|
|
|
|
authentik-worker:
|
|
image: {{ authentik_image }}:{{ authentik_version }}
|
|
container_name: authentik-worker
|
|
restart: unless-stopped
|
|
command: worker
|
|
environment:
|
|
# PostgreSQL connection
|
|
AUTHENTIK_POSTGRESQL__HOST: authentik-db
|
|
AUTHENTIK_POSTGRESQL__NAME: "{{ authentik_db_name }}"
|
|
AUTHENTIK_POSTGRESQL__USER: "{{ authentik_db_user }}"
|
|
AUTHENTIK_POSTGRESQL__PASSWORD: "{{ client_secrets.authentik_db_password }}"
|
|
|
|
# Secret key for encryption (must match server)
|
|
AUTHENTIK_SECRET_KEY: "{{ client_secrets.authentik_secret_key }}"
|
|
|
|
# Error reporting (optional)
|
|
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
|
|
|
|
volumes:
|
|
- authentik-media:/media
|
|
- authentik-templates:/templates
|
|
|
|
networks:
|
|
- {{ authentik_network }}
|
|
|
|
depends_on:
|
|
authentik-db:
|
|
condition: service_healthy
|
|
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 512M
|
|
cpus: "0.5"
|
|
|
|
volumes:
|
|
authentik-db-data:
|
|
driver: local
|
|
authentik-media:
|
|
driver: local
|
|
authentik-templates:
|
|
driver: local
|
|
|
|
networks:
|
|
{{ authentik_traefik_network }}:
|
|
external: true
|
|
{{ authentik_network }}:
|
|
driver: bridge
|
|
internal: true
|