manfre · October 2, 2022 10:38
diff --git a/authentik-docker-compose.yaml b/authentik-docker-compose.yaml
 ---
 version: '3.4'

 services:
  postgresql:
    image: docker.io/library/postgres:14-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=${PG_PASS:?database password required}
      - POSTGRES_USER=${PG_USER:-authentik}
      - POSTGRES_DB=${PG_DB:-authentik}
    # env_file:
    #   - .env
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
      AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT:-25}
      AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
      AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
      AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS:-false}
      AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL:-false}
      AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT:-10}
      AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
      GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
      GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
      AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
    volumes:
      - /opt/authentik_data/media:/media
      - /opt/authentik_data/custom-templates:/templates
      - geoip:/geoip
    # env_file:
    #   - .env
    ports:
      - "${AUTHENTIK_PORT_HTTP:-10000}:9000"
      - "${AUTHENTIK_PORT_HTTPS:-10443}:9443"
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
      AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT:-25}
      AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
      AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
      AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS:-false}
      AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL:-false}
      AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT:-10}
      AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
      GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
      GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
      AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
    # This is optional, and can be removed. If you remove this, the following will happen
    # - The permissions for the /media folders aren't fixed, so make sure they are 1000:1000
    # - The docker socket can't be accessed anymore
    user: root
    volumes:
      - /opt/authentik_data/media:/media
      - /opt/authentik_data/certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/authentik_data/custom-templates:/templates
      - geoip:/geoip
    # env_file:
    #   - .env
  geoipupdate:
    image: "maxmindinc/geoipupdate:latest"
    volumes:
      - "geoip:/usr/share/GeoIP"
    environment:
      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
      GEOIPUPDATE_FREQUENCY: "8"
      GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
      GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
      AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
    # env_file:
    #   - .env

 volumes:
  database:
    driver: local
  redis:
    driver: local
  geoip:
    driver: local
diff --git a/Caddyfile b/Caddyfile
 {$MICROBIN_EXTERNAL_DNS:paste.myapp.local} {

    # always forward outpost path to actual outpost
    reverse_proxy /outpost.goauthentik.io/* {$AUTHENTIK_CONTAINER_NAME:authentik-server-1}:{$AUTHENTIK_PORT:9000}

    # forward authentication to outpost
    forward_auth {$AUTHENTIK_CONTAINER_NAME:authentik-server-1}:{$AUTHENTIK_PORT:9000} {
        uri /outpost.goauthentik.io/auth/caddy

        # capitalization of the headers is important, otherwise they will be empty
        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

        # optional, in this config trust all private ranges, should probably be set to the outposts IP
        trusted_proxies private_ranges
    }
    # actual site configuration below, for example

    reverse_proxy {$MICROBIN_CONTAINER_NAME:microbin}:{$MICROBIN_PORT:8080}
 }
diff --git a/notes.md b/notes.md
	---
	version: '3.4'

	services:
	postgresql:
	image: docker.io/library/postgres:14-alpine
	restart: unless-stopped
	healthcheck:
	test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
	start_period: 20s
	interval: 30s
	retries: 5
	timeout: 5s
	volumes:
	- database:/var/lib/postgresql/data
	environment:
	- POSTGRES_PASSWORD=${PG_PASS:?database password required}
	- POSTGRES_USER=${PG_USER:-authentik}
	- POSTGRES_DB=${PG_DB:-authentik}
	# env_file:
	# - .env
	redis:
	image: docker.io/library/redis:alpine
	command: --save 60 1 --loglevel warning
	restart: unless-stopped
	healthcheck:
	test: ["CMD-SHELL", "redis-cli ping \| grep PONG"]
	start_period: 20s
	interval: 30s
	retries: 5
	timeout: 3s
	volumes:
	- redis:/data
	server:
	image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}
	restart: unless-stopped
	command: server
	environment:
	AUTHENTIK_REDIS__HOST: redis
	AUTHENTIK_POSTGRESQL__HOST: postgresql
	AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
	AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
	AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
	AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
	AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
	AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
	AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT:-25}
	AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
	AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
	AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS:-false}
	AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL:-false}
	AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT:-10}
	AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
	GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
	GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
	AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
	volumes:
	- /opt/authentik_data/media:/media
	- /opt/authentik_data/custom-templates:/templates
	- geoip:/geoip
	# env_file:
	# - .env
	ports:
	- "${AUTHENTIK_PORT_HTTP:-10000}:9000"
	- "${AUTHENTIK_PORT_HTTPS:-10443}:9443"
	worker:
	image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}
	restart: unless-stopped
	command: worker
	environment:
	AUTHENTIK_REDIS__HOST: redis
	AUTHENTIK_POSTGRESQL__HOST: postgresql
	AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
	AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
	AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
	AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
	AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
	AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
	AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT:-25}
	AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
	AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
	AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS:-false}
	AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL:-false}
	AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT:-10}
	AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
	GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
	GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
	AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
	# This is optional, and can be removed. If you remove this, the following will happen
	# - The permissions for the /media folders aren't fixed, so make sure they are 1000:1000
	# - The docker socket can't be accessed anymore
	user: root
	volumes:
	- /opt/authentik_data/media:/media
	- /opt/authentik_data/certs:/certs
	- /var/run/docker.sock:/var/run/docker.sock
	- /opt/authentik_data/custom-templates:/templates
	- geoip:/geoip
	# env_file:
	# - .env
	geoipupdate:
	image: "maxmindinc/geoipupdate:latest"
	volumes:
	- "geoip:/usr/share/GeoIP"
	environment:
	GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
	GEOIPUPDATE_FREQUENCY: "8"
	GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
	GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
	AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
	# env_file:
	# - .env

	volumes:
	database:
	driver: local
	redis:
	driver: local
	geoip:
	driver: local
	{$MICROBIN_EXTERNAL_DNS:paste.myapp.local} {

	# always forward outpost path to actual outpost
	reverse_proxy /outpost.goauthentik.io/* {$AUTHENTIK_CONTAINER_NAME:authentik-server-1}:{$AUTHENTIK_PORT:9000}

	# forward authentication to outpost
	forward_auth {$AUTHENTIK_CONTAINER_NAME:authentik-server-1}:{$AUTHENTIK_PORT:9000} {
	uri /outpost.goauthentik.io/auth/caddy

	# capitalization of the headers is important, otherwise they will be empty
	copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

	# optional, in this config trust all private ranges, should probably be set to the outposts IP
	trusted_proxies private_ranges
	}
	# actual site configuration below, for example

	reverse_proxy {$MICROBIN_CONTAINER_NAME:microbin}:{$MICROBIN_PORT:8080}
	}