Files
truenas-stacks/identity-authentik/README.md
Fizzlepoof c1f6dce227
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled
Expose Authentik on public Pangolin hostname
2026-05-23 20:23:27 +00:00

2.5 KiB

Identity / SSO - Authentik

This stack stages an Authentik migration in parallel with the current Authelia deployment so cutover can happen app-by-app with easy rollback.

Current design choices:

  • Authentik server + worker only
  • shared Postgres for durable storage
  • embedded outpost for Traefik forward-auth
  • no Redis dependency
  • no Docker socket mount
  • keep Authelia alive until all apps validate cleanly

Why this shape:

  • it future-proofs the identity plane without turning migration into a flag day
  • it preserves easy rollback while Authentik is proven per app
  • it matches the homelab preference for shared database infra over one-off local state
  • embedded outpost is enough for this size and avoids extra moving parts

Files:

  • docker-compose.yaml
  • .env.example
  • custom-templates/.gitkeep

Bootstrap:

  1. Copy this directory to PD at /mnt/docker-ssd/docker/compose/identity-authentik

  2. Copy .env.example to .env and replace every CHANGE_ME

  3. Create the Authentik database/user in shared Postgres

  4. Validate and start:

    cd /mnt/docker-ssd/docker/compose/identity-authentik docker compose --env-file .env config docker compose --env-file .env up -d

  5. Verify readiness:

    docker compose ps docker logs authentik-server --tail=50 curl -fsS http://127.0.0.1:9000/-/health/ready/

  6. Complete initial login with the bootstrap admin on the internal URL first, then wire the public Pangolin hostname https://authentik.paccoco.com. Grafana and other OIDC clients should use that public hostname instead of the LAN-only http://10.5.30.6:9000 base URL.

  7. Build providers before cutover:

    • Grafana: OAuth2/OIDC provider
    • Gitea: proxy provider, forward auth, single application
    • Technitium: proxy provider, forward auth, single application
    • Traefik dashboard: proxy provider, forward auth, single application
  8. Bind those proxy providers to the embedded outpost.

  9. Cut apps over one at a time from Authelia forward-auth to Authentik forward-auth.

  10. Only remove Authelia after every migrated app and logout flow is verified.

Notes:

  • Authentik listens internally on port 9000 for HTTP and serves the embedded outpost paths there too.
  • The Traefik middleware should call: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
  • Each forward-auth protected app also needs a higher-priority router for: PathPrefix(/outpost.goauthentik.io/) routed to Authentik, or the login flow will break.
  • Grafana should end on native OIDC instead of remaining behind forward-auth long-term.