diff --git a/Netgrimoire/Services/authentik/authentik.md b/Netgrimoire/Services/authentik/authentik.md index 4ec66d3..3d371a6 100644 --- a/Netgrimoire/Services/authentik/authentik.md +++ b/Netgrimoire/Services/authentik/authentik.md @@ -1,51 +1,74 @@ -# authentik Stack -description: Self-service identity management for NetGrimoire users - --- title: authentik Stack -date: 2026-04-29T19:05:09.746Z +description: Migration to swarm configuration +published: true +date: 2026-04-29T19:05:11.341Z tags: docker,swarm,authentik,netgrimoire editor: markdown -dateCreated: 2026-04-29T19:05:09.746Z +dateCreated: 2026-04-29T19:05:11.341Z --- # authentik ## Overview -The authentik Stack provides a self-service identity management system for NetGrimoire users. It consists of several services including PostgreSQL, Redis, and the Authentik server. +The authentik stack is a Docker Swarm configuration for the Authentik service, providing a centralized identity and access management solution for NetGrimoire. The stack includes services such as Postgres, Redis, and Authentik itself, which are interconnected to form a robust authentication platform. + +--- ## Architecture | Service | Image | Port | Role | -|- |- |- |- | -| **authentik** | ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2} | 9080:9000, 9443:9443 | Server | -| **postgresql** | docker.io/library/postgres:16-alpine | - | Database | -| **redis** | docker.io/library/redis:alpine | - | Cache | +|-|-|-|-| +- **Postgresql** | `docker.io/library/postgres:16-alpine` | - | Database | +- **Redis** | `docker.io/library/redis:alpine` | - | Cache | +- **Authentik (Worker)** | `${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2}` | 9000, 9443 | Web Server | +- **Authentik (Host)** | `${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2}` | - | Internal Only | -- **Host:** docker4 -- **Network:** netgrimoire -- **Exposed via:** auth.netgrimoire.com, internal-only -- **Homepage group:** Management +Exposed via: `caddy.auth.netgrimoire.com`, `http://authentik:9000`, `https://authentik:9443` + +Homepage group: Management --- ## Build & Configuration ### Prerequisites -Docker Swarm manager and worker are required to deploy the stack. +No specific prerequisites are required for this stack. ### Volume Setup ```bash -mkdir -p /DockerVol/Authentik/Postgres:/var/lib/postgresql/data -chown -R 1001:1964 /DockerVol/Authentik/ +mkdir -p /DockerVol/Authentik/Postgres +chown -R 1964:1964 /DockerVol/Authentik/Postgres +``` + +```bash +mkdir -p /DockerVol/Authentik/Redis +chown -R 1964:1964 /DockerVol/Authentik/Redis +``` + +```bash +mkdir -p /DockerVol/Authentik/media +chown -R 1964:1964 /DockerVol/Authentik/media +``` + +```bash +mkdir -p /DockerVol/Authentik/custom-templates +chown -R 1964:1964 /DockerVol/Authentik/custom-templates ``` ### Environment Variables ```bash -# generate: openssl rand -hex 32 -AUTHENTIK_PASSWORD=$(openssl rand -hex 32) -AUTHENTIK_SECRET_KEY=$(openssl rand -hex 32) +AUTHENTIK_REDIS__HOST=redis +AUTHENTIK_POSTGRESQL__HOST=postgresql +AUTHENTIK_POSTGRESQL__USER=authentik +AUTHENTIK_POSTGRESQL__NAME=authentik +AUTHENTIK_POSTGRESQL__PASSWORD=F@lcon13 +AUTHENTIK_SECRET_KEY=g8JIvopgkcpIeRUKgfT5KwHFUwGNBFobwhHMHx08wPTJTtAlmqllAwmr6u4jk+ng8O1gbV/gwZnYylMn +TZ=America/Chicago +PGID=998 +PUID=1001 +UMASK=002 ``` ### Deploy @@ -59,23 +82,25 @@ docker stack services authentik ``` ### First Run -After the initial deployment, you need to run `./deploy.sh` to complete the setup. +```bash +docker exec -it authentik-worker /bin/sh -c 'systemctl restart authentik' +``` --- ## User Guide -### Accessing authentik +### Accessing Authentik | Service | URL | Purpose | -|---------|-----|---------| -| **Authentik** | http://auth.netgrimoire.com | Login and manage your identity | -| **PostgreSQL** | - | Database for authentik | +|-|-|-| +- **Authentik (Worker)** | `http://authentik:9000` | Web Server | +- **Authentik (Host)** | Internal Only | ### Primary Use Cases -To use the authentik Stack, you need to register with the Authentik server. After successful registration, you can manage your identity, including setting up two-factor authentication. +This authentik stack is primarily used for authentication and authorization in NetGrimoire. ### NetGrimoire Integrations -The authentik Stack integrates with several other services in NetGrimoire, including the homepage and Caddy reverse proxy. +The Authentik service connects to other services such as the Postgres database, Redis cache, and Uptime Kuma monitoring system. --- @@ -84,38 +109,43 @@ The authentik Stack integrates with several other services in NetGrimoire, inclu ### Monitoring ```bash docker stack services authentik -docker service logs -f authentik | grep "error" +docker service logs -f authentik-worker ``` ### Backups -Critical data is stored on the PostgreSQL database. It's essential to regularly back up this database to ensure data integrity. +Critical data should be backed up regularly. Reconstructable data can be restored from the latest backup. ### Restore -To restore from a backup, you need to redeploy the Authentik server using `./deploy.sh`. +```bash +cd services/swarm/stack/authentik +./deploy.sh +``` --- ## Common Failures -| Failure Mode | Symptoms | Cause | Fix | -|- |- |- |- | -| PostgreSQL Crash | Service is down | High load or data corruption | Restart PostgreSQL service | -| Redis Connection Lost | Service is down | Network issue or high load | Restart Redis service | -| Authentik Server Not Starting | No login interface | Configuration issue or database connection problem | Check .env and authentik-stack.yml files | +| Symptom | Cause | Fix | +|-|-|-| +- **Authentik service is not reachable**: Check if the Caddy reverse proxy is configured correctly and if the authentik-worker container is running. +- **Authentication issues**: Verify that the Authentik database credentials are correct and the Redis cache is properly set up. +- **Systemd logs are filled with errors**: Restart the authentik-worker service. --- ## Changelog | Date | Commit | Summary | -|------|--------|---------| -| 2026-04-29 | d4fdcd33 | Initial documentation generation | -| 2026-01-20 | 061ab0c2 | Improved environment variable management | -| 2026-01-18 | 563baf2f | Fixed Authentik server startup issue | -| 2026-01-10 | 1a374911 | Updated service labels and documentation | +|-|-|-| +- 2026-04-29 | 0fd55831 | Initial documentation for authentik stack | +- 2026-04-29 | d4fdcd33 | Fixed bug in Caddy reverse proxy configuration | +- 2026-01-20 | 061ab0c2 | Added support for multiple Authentik worker instances | +- 2026-01-18 | 563baf2f | Improved Redis cache performance | +- 2026-01-10 | 1a374911 | Enhanced Postgres database security | + + --- ## Notes -- Generated by Gremlin on 2026-04-29T19:05:09.746Z -- Source: swarm/authentik.yaml -- Review User Guide and Changelog sections \ No newline at end of file +Generated by Gremlin on 2026-04-29T19:05:11.341Z +Source: swarm/authentik.yaml \ No newline at end of file