Authentik is the central Identity Provider (IdP) for SSO, running as a set of Docker containers:
This document focuses on:
Recommended layout on the host:
/opt/docker/authentik/
├── docker-compose.yml
├── .env
├── postgres-data/
└── redis-data/
Create directories:
mkdir -p /opt/docker/authentik/postgres-data
mkdir -p /opt/docker/authentik/redis-data
cd /opt/docker/authentik
cd /opt/docker/authentik
cat > docker-compose.yml << 'EOF'
version: "3.9"
services:
postgresql:
image: postgres:16-alpine
container_name: authentik-postgres
restart: unless-stopped
environment:
- POSTGRES_DB=authentik
- POSTGRES_USER=authentik
- POSTGRES_PASSWORD=${PG_PASS}
volumes:
- ./postgres-data:/var/lib/postgresql/data
healthcheck:
test: ["CMD", "pg_isready", "-U", "authentik"]
interval: 10s
timeout: 5s
retries: 5
redis:
image: redis:7-alpine
container_name: authentik-redis
restart: unless-stopped
command: redis-server --save 60 1 --loglevel warning
volumes:
- ./redis-data:/data
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 5
server:
image: ghcr.io/goauthentik/server:2024.8
container_name: authentik-server
restart: unless-stopped
command: server
env_file:
- .env
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
ports:
- "9000:9000" # HTTP
- "9443:9443" # HTTPS
volumes:
- authentik-media:/media
- authentik-templates:/templates
worker:
image: ghcr.io/goauthentik/server:2024.8
container_name: authentik-worker
restart: unless-stopped
command: worker
env_file:
- .env
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
volumes:
- authentik-media:/media
- authentik-templates:/templates
- /var/run/docker.sock:/var/run/docker.sock
volumes:
authentik-media:
authentik-templates:
EOF
Adjust image tag, ports and volume locations as needed.
cd /opt/docker/authentik
cat > .env << 'EOF'
# Strong random secret
AUTHENTIK_SECRET_KEY=CHANGE_ME_SECRET_KEY
# Database
PG_PASS=CHANGE_ME_DB_PASSWORD
AUTHENTIK_POSTGRESQL__HOST=postgresql
AUTHENTIK_POSTGRESQL__PORT=5432
AUTHENTIK_POSTGRESQL__USER=authentik
AUTHENTIK_POSTGRESQL__PASSWORD=${PG_PASS}
AUTHENTIK_POSTGRESQL__NAME=authentik
# Redis
AUTHENTIK_REDIS__HOST=redis
AUTHENTIK_REDIS__PORT=6379
# Server options
AUTHENTIK_SERVER__WORKERS=2
AUTHENTIK_DISABLE_UPDATE_CHECK=false
# Optional: external URL, email, etc.
# AUTHENTIK_GLOBAL__DOMAIN=auth.zd-c.com
# AUTHENTIK_EMAIL__HOST=smtp.example.com
EOF
cd /opt/docker/authentik
# Start
docker compose up -d
# Stop
docker compose down
docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
# Server logs
docker logs authentik-server --tail 100
docker logs authentik-server -f
# Worker logs
docker logs authentik-worker --tail 100
docker logs authentik-worker -f
# DB / Redis logs
docker logs authentik-postgres --tail 100
docker logs authentik-redis --tail 100
docker inspect authentik-server | grep -i health -n
docker inspect authentik-worker | grep -i health -n
docker inspect authentik-postgres | grep -i health -n
docker inspect authentik-redis | grep -i health -n
docker exec -it authentik-server /bin/bash
docker exec -it authentik-worker /bin/bash
docker exec -it authentik-postgres /bin/sh
docker exec -it authentik-redis /bin/sh
DB_NAME="authentik"
DB_USER="authentik"
BACKUP_DIR="/backup/authentik/db"
DATE="$(date +%Y-%m-%d)"
mkdir -p "${BACKUP_DIR}"
docker exec authentik-postgres \
pg_dump -U "${DB_USER}" "${DB_NAME}" \
> "${BACKUP_DIR}/authentik-db-${DATE}.sql"
cd /opt/docker/authentik
docker compose down
cd /opt/docker/authentik
docker compose up -d postgresql
BACKUP_FILE="/backup/authentik/db/authentik-db-YYYY-MM-DD.sql"
docker exec -i authentik-postgres \
psql -U authentik authentik \
< "${BACKUP_FILE}"
cd /opt/docker/authentik
docker compose up -d
BACKUP_DIR="/backup/authentik/config"
DATE="$(date +%Y-%m-%d)"
mkdir -p "${BACKUP_DIR}"
tar czf "${BACKUP_DIR}/authentik-config-${DATE}.tgz" \
-C /opt/docker/authentik docker-compose.yml .env
cd /opt/docker/authentik
docker compose pull
docker compose up -d
docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
docker logs authentik-server --tail 200
docker-compose.yml / .env.cd /opt/docker/authentik
docker compose run --rm server create_recovery_key 10 akadmin
This prints a recovery URL for user akadmin.
Keep the URL secret and remove the flow after use.
cd /opt/docker/authentik
docker compose run --rm server createsuperuser
Follow the interactive prompts.
For each new app integrated with Authentik:
No extra commands here, just a standard workflow.
# Check if all containers are up
docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
# Server/worker logs
docker logs authentik-server --tail 200
docker logs authentik-worker --tail 200
# DB and Redis health
docker logs authentik-postgres --tail 50
docker logs authentik-redis --tail 50
# Network issues
docker network ls
docker network inspect authentik_default | grep -i ipaddress -n