2.3 KiB
Identity / SSO - Authentik
This stack stages an Authentik migration in parallel with the current Authelia deployment so cutover can happen app-by-app with easy rollback.
Current design choices:
- Authentik server + worker only
- shared Postgres for durable storage
- embedded outpost for Traefik forward-auth
- no Redis dependency
- no Docker socket mount
- keep Authelia alive until all apps validate cleanly
Why this shape:
- it future-proofs the identity plane without turning migration into a flag day
- it preserves easy rollback while Authentik is proven per app
- it matches the homelab preference for shared database infra over one-off local state
- embedded outpost is enough for this size and avoids extra moving parts
Files:
- docker-compose.yaml
- .env.example
- custom-templates/.gitkeep
Bootstrap:
-
Copy this directory to PD at /mnt/docker-ssd/docker/compose/identity-authentik
-
Copy .env.example to .env and replace every CHANGE_ME
-
Create the Authentik database/user in shared Postgres
-
Validate and start:
cd /mnt/docker-ssd/docker/compose/identity-authentik docker compose --env-file .env config docker compose --env-file .env up -d
-
Verify readiness:
docker compose ps docker logs authentik-server --tail=50 curl -fsS http://127.0.0.1:9000/-/health/ready/
-
Complete initial login with the bootstrap admin on the internal URL first, then wire the public auth route.
-
Build providers before cutover:
- Grafana: OAuth2/OIDC provider
- Gitea: proxy provider, forward auth, single application
- Technitium: proxy provider, forward auth, single application
- Traefik dashboard: proxy provider, forward auth, single application
-
Bind those proxy providers to the embedded outpost.
-
Cut apps over one at a time from Authelia forward-auth to Authentik forward-auth.
-
Only remove Authelia after every migrated app and logout flow is verified.
Notes:
- Authentik listens internally on port 9000 for HTTP and serves the embedded outpost paths there too.
- The Traefik middleware should call: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
- Each forward-auth protected app also needs a higher-priority router for:
PathPrefix(
/outpost.goauthentik.io/) routed to Authentik, or the login flow will break. - Grafana should end on native OIDC instead of remaining behind forward-auth long-term.