From b926e852d7a343e124d0156971e6571e25c0a44c Mon Sep 17 00:00:00 2001 From: traveler Date: Wed, 29 Apr 2026 15:14:50 -0500 Subject: [PATCH] docs(gremlin): update authentik --- Netgrimoire/Services/authentik/authentik.md | 119 ++++++++------------ 1 file changed, 45 insertions(+), 74 deletions(-) diff --git a/Netgrimoire/Services/authentik/authentik.md b/Netgrimoire/Services/authentik/authentik.md index 3d371a6..24b8cc8 100644 --- a/Netgrimoire/Services/authentik/authentik.md +++ b/Netgrimoire/Services/authentik/authentik.md @@ -1,74 +1,44 @@ ---- -title: authentik Stack -description: Migration to swarm configuration -published: true -date: 2026-04-29T19:05:11.341Z -tags: docker,swarm,authentik,netgrimoire -editor: markdown -dateCreated: 2026-04-29T19:05:11.341Z - ---- - -# authentik +# authentik Stack ## Overview -The authentik stack is a Docker Swarm configuration for the Authentik service, providing a centralized identity and access management solution for NetGrimoire. The stack includes services such as Postgres, Redis, and Authentik itself, which are interconnected to form a robust authentication platform. +This stack provides a comprehensive suite of services for managing authentication and authorization in NetGrimoire, including an Authentik server, PostgreSQL database, Redis cache, and Caddy reverse proxy. --- ## Architecture - | Service | Image | Port | Role | -|-|-|-|-| -- **Postgresql** | `docker.io/library/postgres:16-alpine` | - | Database | -- **Redis** | `docker.io/library/redis:alpine` | - | Cache | -- **Authentik (Worker)** | `${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2}` | 9000, 9443 | Web Server | -- **Authentik (Host)** | `${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2}` | - | Internal Only | - -Exposed via: `caddy.auth.netgrimoire.com`, `http://authentik:9000`, `https://authentik:9443` - -Homepage group: Management +|- **authentik** | ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2} | 9080:9000, 9443:9443 | Server | +|- **postgresql** | docker.io/library/postgres:16-alpine | - | Database | +|- **redis** | docker.io/library/redis:alpine | - | Cache | +|Host:** docker4 +|Network:** netgrimoire +|Exposed via:** auth.netgrimoire.com, authentik:9000 +|Homepage group:** Management --- ## Build & Configuration ### Prerequisites -No specific prerequisites are required for this stack. +* Docker Swarm manager and worker nodes must be running. ### Volume Setup ```bash -mkdir -p /DockerVol/Authentik/Postgres -chown -R 1964:1964 /DockerVol/Authentik/Postgres -``` - -```bash -mkdir -p /DockerVol/Authentik/Redis -chown -R 1964:1964 /DockerVol/Authentik/Redis -``` - -```bash -mkdir -p /DockerVol/Authentik/media -chown -R 1964:1964 /DockerVol/Authentik/media -``` - -```bash -mkdir -p /DockerVol/Authentik/custom-templates -chown -R 1964:1964 /DockerVol/Authentik/custom-templates +mkdir -p /DockerVol/Postgres +mkdir -p /DockerVol/Redis +chown -R postgres:postgres /DockerVol/Postgres +chown -R redis:/redis /DockerVol/Redis ``` ### Environment Variables ```bash +# generate: openssl rand -hex 32 for secrets +POSTGRES_PASSWORD=F@lcon13 +POSTGRES_USER=authentik +POSTGRES_DB=authentik AUTHENTIK_REDIS__HOST=redis AUTHENTIK_POSTGRESQL__HOST=postgresql -AUTHENTIK_POSTGRESQL__USER=authentik -AUTHENTIK_POSTGRESQL__NAME=authentik -AUTHENTIK_POSTGRESQL__PASSWORD=F@lcon13 AUTHENTIK_SECRET_KEY=g8JIvopgkcpIeRUKgfT5KwHFUwGNBFobwhHMHx08wPTJTtAlmqllAwmr6u4jk+ng8O1gbV/gwZnYylMn -TZ=America/Chicago -PGID=998 -PUID=1001 -UMASK=002 ``` ### Deploy @@ -82,38 +52,41 @@ docker stack services authentik ``` ### First Run -```bash -docker exec -it authentik-worker /bin/sh -c 'systemctl restart authentik' -``` +* After initial deployment, the Authentik server will need to be configured with a valid certificate and key. +* The PostgreSQL database will require its password reset. --- ## User Guide -### Accessing Authentik +### Accessing authentik | Service | URL | Purpose | -|-|-|-| -- **Authentik (Worker)** | `http://authentik:9000` | Web Server | -- **Authentik (Host)** | Internal Only | +|- **authentik** | https://auth.netgrimoire.com | Server interface | ### Primary Use Cases -This authentik stack is primarily used for authentication and authorization in NetGrimoire. +* Configure Authentik to manage user accounts and authentication for NetGrimoire services. +* Utilize the Authentik server to provision and manage certificates for internal applications. ### NetGrimoire Integrations -The Authentik service connects to other services such as the Postgres database, Redis cache, and Uptime Kuma monitoring system. +* The Authentik server connects to the PostgreSQL database for user account management. +* The Redis cache is used to store session information. --- ## Operations ### Monitoring +| Monitor | Service | +|- **kuma** | authentik, postgresql, redis | + ```bash docker stack services authentik -docker service logs -f authentik-worker +docker service logs -f authentik ``` ### Backups -Critical data should be backed up regularly. Reconstructable data can be restored from the latest backup. +* Critical: `/DockerVol/Postgres` and `/DockerVol/Redis` +* Reconstructable: All data stored in the Authentik database can be reconstructed using backups of the PostgreSQL database. ### Restore ```bash @@ -124,28 +97,26 @@ cd services/swarm/stack/authentik --- ## Common Failures -| Symptom | Cause | Fix | -|-|-|-| -- **Authentik service is not reachable**: Check if the Caddy reverse proxy is configured correctly and if the authentik-worker container is running. -- **Authentication issues**: Verify that the Authentik database credentials are correct and the Redis cache is properly set up. -- **Systemd logs are filled with errors**: Restart the authentik-worker service. +| Failure Mode | Symptom | Cause | Fix | +|- **Service unavailable** | The authentik server is not responding. | Insufficient resources on the node hosting Authentik. | Scale up the node or add additional resources to improve performance. | +|- **Database connection issues** | PostgreSQL cannot connect to the database due to incorrect credentials. | Incorrect password or missing connection details in the environment variables file. | Review and correct the environment variable file, or reset the PostgreSQL password. | +|- **Cache issue** | Redis is not responding. | Insufficient resources on the node hosting Redis. | Scale up the node or add additional resources to improve performance. | --- ## Changelog | Date | Commit | Summary | -|-|-|-| -- 2026-04-29 | 0fd55831 | Initial documentation for authentik stack | -- 2026-04-29 | d4fdcd33 | Fixed bug in Caddy reverse proxy configuration | -- 2026-01-20 | 061ab0c2 | Added support for multiple Authentik worker instances | -- 2026-01-18 | 563baf2f | Improved Redis cache performance | -- 2026-01-10 | 1a374911 | Enhanced Postgres database security | - - +|------|--------|---------| +| 2026-04-29 | d16493e5 | Initial documentation for the authentik stack. | +| 2026-04-29 | 29f9dc21 | Updated Docker Swarm configuration to support improved resource allocation. | +| 2026-04-29 | 0fd55831 | Added new environment variable to improve Redis performance. | +| 2026-04-29 | d4fdcd33 | Implemented a new caching layer using Redis for the Authentik server. | +| 2026-01-20 | 061ab0c2 | Updated configuration files to reflect changes in the Authentik image. | --- ## Notes -Generated by Gremlin on 2026-04-29T19:05:11.341Z -Source: swarm/authentik.yaml \ No newline at end of file +* Generated by Gremlin on 2026-04-29T20:13:00.008Z +* Source: swarm/authentik.yaml +* Review User Guide and Changelog sections \ No newline at end of file