Authentik

Authentik (Identity Provider)

← Back to Index

IP: 192.168.1.XXX | Port: 9000 (HTTP), 9443 (HTTPS) | Stack: dell/authentik/ | Domain: auth.internal.lab

---

Overview

Self-hosted Identity and Access Management (IAM) solution. Provides Single Sign-On (SSO) for all homelab services with enterprise-grade authentication, authorization, and audit logging.

Career Alignment: Identity management and SSO are critical enterprise skills (Security+ domain).

---

Access

Endpoint	URL
Web UI	https://auth.internal.lab (via NPM)
Direct HTTP	http://192.168.1.XXX:9000
Direct HTTPS	https://192.168.1.XXX:9443
Setup	http://192.168.1.XXX:9000/if/flow/initial-setup/

---

Location

/opt/authentik/
├── docker-compose.yaml    # Server + Worker services
├── media/                 # Uploaded files (logos, certs)
├── custom-templates/      # Custom email/page templates
├── .env                   # Environment secrets (not in git)
├── CREDENTIALS.md         # Deployment credentials (chmod 600)
└── DEPLOYMENT_SUMMARY.md  # Deployment notes

---

Docker Compose

services:
  authentik-server:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik-server
    restart: unless-stopped
    command: server
    ports:
      - "9000:9000"
      - "9443:9443"
    environment:
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
      - AUTHENTIK_POSTGRESQL__HOST=172.X.X.X
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=${DB_PASSWORD}
      - AUTHENTIK_REDIS__HOST=172.X.X.X
      - AUTHENTIK_REDIS__PORT=6379
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    security_opt:
      - no-new-privileges:true
 
  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    environment:
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
      - AUTHENTIK_POSTGRESQL__HOST=172.X.X.X
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=${DB_PASSWORD}
      - AUTHENTIK_REDIS__HOST=172.X.X.X
      - AUTHENTIK_REDIS__PORT=6379
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    security_opt:
      - no-new-privileges:true

---

Infrastructure Integration

Database (Existing PostgreSQL)

• Host: 172.X.X.X (litellm-postgres container)
• Database: authentik
• User: authentik
• Network: Docker bridge network

Cache (Existing Redis)

• Host: 172.X.X.X (redis-litellm container)
• Port: 6379
• Reuse: Shared with LiteLLM caching

Network Configuration

• Uses Docker network_mode: host for connectivity
• Can access PostgreSQL/Redis via internal IPs
• External access via ports 9000/9443

---

Key Configuration Notes

• Secret Key: 60-character base64 string for encryption
• Database: Separate from LiteLLM (same PostgreSQL instance, different DB)
• Worker: Required for background tasks (email, sync, events)
• Media: Persisted for uploaded logos, certificates

---

Initial Setup

Step 1: Bootstrap Admin Account

1. Visit http://192.168.1.XXX:9000/if/flow/initial-setup/
2. Create admin username and password
3. Configure email (optional but recommended)

Step 2: Basic Configuration

1. Admin Interface: https://auth.internal.lab/if/admin/
2. System → General: Configure instance name, branding
3. Applications: Create entries for each service
4. Providers: Configure OAuth2/SAML/LDAP

Step 3: Add First Application

Example: Grafana

Provider Type: OAuth2/OpenID
Client ID: (generated)
Client secret: [REDACTED]
Redirect URIs: http://192.168.1.XXX:3030/login/generic_oauth
Scopes: openid, profile, email

---

Nginx Proxy Manager Configuration

Required for auth.internal.lab access:

Setting	Value
Domain Names	auth.internal.lab
Scheme	http
Forward Hostname/IP	192.168.1.XXX
Forward Port	9000
Cache Assets	☑️
Block Common Exploits	☑️
SSL	☑️ (Request new certificate)

---

DNS Configuration

Add to both Pi-hole instances:

auth.internal.lab → 192.168.1.XXX

Primary Pi-hole (192.168.1.XXX): Local DNS → DNS Records
Secondary Pi-hole (192.168.1.XXX): Local DNS → DNS Records

---

Services to Integrate

Phase 1: Core Services

• Grafana (192.168.1.XXX:3030) - OAuth2 provider
• Vaultwarden (192.168.1.XXX:8081) - OAuth2 provider
• Skip Dashboard (192.168.1.XXX:3080) - JWT/OAuth2

Phase 2: Infrastructure

• Dockhand (192.168.1.XXX:3000) - If supported
• Homepage (192.168.1.XXX:4000) - OIDC headers
• LiteLLM (192.168.1.XXX:4000) - API key management

Phase 3: Future

• Wazuh (192.168.1.XXX) - If dashboard supports SSO
• Podcast Studio (planned) - User authentication

---

Security Considerations

Why Authentik vs Keycloak?

• Modern UI: Better user experience
• Simpler Setup: Less complex than Keycloak
• Active Development: Regular updates, responsive community
• Go-based: Lower resource usage than Java (Keycloak)

Secret Key Rotation

# Generate new secret
openssl rand -base64 60
 
# Update in .env and restart
vim /opt/authentik/.env
docker compose restart

Audit Logging

• All authentication events logged
• View in Admin → Events
• Export for compliance if needed

---

Backup Strategy

What to Backup

# Database (PostgreSQL)
docker exec litellm-postgres pg_dump -U authentik authentik > authentik-backup.sql
 
# Media and config
tar czf authentik-config.tar.gz /opt/authentik/media /opt/authentik/.env

Restore Process

1. Restore database: psql -U authentik authentik < authentik-backup.sql
2. Restore files: tar xzf authentik-config.tar.gz
3. Restart containers: docker compose restart

---

Troubleshooting

Server Won’t Start

• Check PostgreSQL connection: docker logs authentik-server
• Verify credentials in .env
• Ensure Redis is accessible: redis-cli -h 172.X.X.X ping

Database Connection Issues

• Verify pg_hba.conf allows 192.168.1.XXX/24
• Check PostgreSQL user exists: \du in psql
• Test connection: psql -h 172.X.X.X -U authentik authentik

Worker Not Processing

• Check worker logs: docker logs authentik-worker
• Ensure Redis is not full: redis-cli info memory
• Restart worker: docker compose restart authentik-worker

---

Learning Resources

Authentik Documentation

• Official Docs: https://goauthentik.io/docs/
• Applications: OAuth2, SAML, LDAP providers
• Flows: Custom authentication flows
• Policies: Attribute-based access control

Enterprise SSO Patterns

• OIDC vs SAML: OIDC for modern apps, SAML for legacy
• JIT Provisioning: Just-in-time user creation
• Attribute Mapping: Map LDAP groups to app roles

---

Related Pages

• Dell Stronghold - Host server
• PostgreSQL - Shared database instance
• Redis - Shared cache instance
• Vaultwarden - Credential storage (integrate with Authentik)
• Security-Best-Practices - SSO security patterns
• Network-Topology - DNS and IP assignments

---

Deployment Date

2026-02-16 - Deployed on Dell Stronghold as enterprise IAM solution

---

Future Enhancements

Phase 2: Advanced Features

• LDAP Outpost - For services requiring LDAP
• RADIUS Outpost - For network device authentication
• SCIM Integration - Automated user provisioning
• Federation - SAML federation with external IdPs

Phase 3: Monitoring

• Prometheus Metrics - Export auth metrics
• Grafana Dashboard - Visualize login patterns
• Alerting - Failed login attempts, suspicious activity