#homelab #network #securityAuthentik is an IdP (Identity Provider) and SSO (single sign on) that is built with security at the forefront of every piece of code, every feature, with an emphasis on flexibility and versatility.For more information, please visit the documentation pages on Terminology and Architecture. 1. docker-compose.yaml
Get it via wget https://goauthentik.io/docker-compose.yml If running Docker in rootless mode:
Comment out the user: root and the docker socket volume - /var/run/docker.sock:/var/run/docker.sockRun docker compose up -dIf the authentik-worker-1 is not comming up: # To view the live log of the worker container
docker compose logs -f worker
This showed the following error:worker-1 | {"event": "PostgreSQL connection failed, retrying... (connection failed: connection to server at \"172.18.0.3\", port 5432 failed: FATAL: password authentication failed for user \"authentik\")", "level": "info", "logger": "authentik.lib.config"}To resolve this, I changed the postgreSQL password myself inside the container and updated the .env file.# Connect to the container, the <database_name> is likely "authentik"
docker exec -it <postgres_container_name> psql -U authentik -d <database_name>
# Know you are connected to the database as authentik, and can change the database password with
ALTER USER authentik WITH PASSWORD '<new_password>'
# Close the connection with
\q
Now update the .env file with the newly set password and restart the containers with docker compose down && docker compose up -d.Now my worker still didn’t want to come up. Checking the logs revealed, this:worker-1 | {"event": "Redis Connection successful", "level": "info", "logger": "authentik.lib.config", "timestamp": 1748459393.7094638}
worker-1 | {"event": "Finished authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1748459393.709638}
worker-1 | 2025-05-28 19:09:53 [info ] waiting to acquire database lock
worker-1 | 2025-05-28 19:09:53 [info ] Migration needs to be applied migration=tenant_files.py
worker-1 | 2025-05-28 19:09:53 [info ] releasing database lock
worker-1 | Traceback (most recent call last):
worker-1 | File "<frozen runpy>", line 198, in _run_module_as_main
worker-1 | File "<frozen runpy>", line 88, in _run_code
worker-1 | File "/manage.py", line 43, in <module>
worker-1 | run_migrations()
worker-1 | File "/lifecycle/migrate.py", line 103, in run_migrations
worker-1 | migration.run()
worker-1 | File "/lifecycle/system_migrations/tenant_files.py", line 18, in run
worker-1 | TENANT_MEDIA_ROOT.mkdir(parents=True)
worker-1 | File "/usr/local/lib/python3.12/pathlib.py", line 1311, in mkdir
worker-1 | os.mkdir(self, mode)
worker-1 | PermissionError: [Errno 13] Permission denied: '/media/public'Basically for what ever reason docker compose created a folder media but not the sub-folder public. Thus, we need to create this sub-folder:mkdir media/public
Restarting the containers now works and also the worker comes up 🎉
Go to http://<your server's IP or hostname>:9000/if/flow/initial-setup/ for the initial setup.I then got greated with the lovely words “Request has been denied”.
A workaround for this is described here: https://github.com/goauthentik/authentik/issues/8127#issuecomment-2064940411 and https://docs.goauthentik.io/docs/troubleshooting/loginBasically we create a key with which we can bypass the login screen. HOWEVER: ANYONE WITH THIS KEY/URL CAN BYPASS AUTHENTICATION. So keep it secure and set the valid duration to a very short time.
docker compose run --rm server create_recovery_key 1 akadmin
This key is now valid for one year. I could not figure out if one can go lower.When you are inside click the following:
Admin Interface (navbar) > Directory (sidebar) > Users (option in dropdown) > akadmin (link) > User Info (left-side section) > Set Password (button) Customize Authentik
https://www.youtube.com/watch?v=3oIRY0NWPr8