This one is going to be a little bit tricky. Authentik’s docs are out of date and a lot of people did this kind of crazy, and I was not able to find a working config from a single source. I’ll try my best to give you a fully working config with Authentik and a sample of how to set up one proxy with an Arr service. I did do my setup with Traefik and will post a setup guide for that later. If you don’t have traefik, all you need to change is the redirect middleware. One thing to note, I will not have a working postgres and redis server for you. I’m running with the assumption that you will provide your own
Docker Swarm
I am a firm believer that CPU should be left to unlimited on every service that is meant to run 24/7 and that you should limit your memory to prevent OOM issues. Your memory limit should never exceed your requests limit. This is set up with traefik on a traefik network I named “traefik-public”. My certresolver is a lets encrypt resolver I named le. I also use loki for logging. If you want to deploy just the image without traefik and loki, you can delete all of those lines as well as update the volumes section. You can go lighter on the resource allocations if you like
version: "3.9" services: authentik-server: image: ghcr.io/goauthentik/server:2023.10 command: server deploy: resources: reservations: memory: 1G limits: memory: 1G labels: # Traefik Config - traefik.enable=true - traefik.docker.network=traefik-public - traefik.constraint-label=traefik-public # HTTPS Rules - traefik.http.routers.authentik.rule=Host(`auth.mydomain.com`) - traefik.http.routers.authentik.entrypoints=https - traefik.http.routers.authentik.tls=true - traefik.http.routers.authentik.tls.certresolver=le # Services - traefik.http.services.authentik.loadbalancer.server.port=9000 networks: - traefik-public - databases secrets: - authentik-secret environment: AUTHENTIK_SECRET_KEY: /run/secrets/authentik-secret AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: $PGPASS authentik-worker: image: ghcr.io/goauthentik/server:2023.10 command: worker deploy: resources: reservations: memory: 1G limits: memory: 1G environment: AUTHENTIK_SECRET_KEY: /run/secrets/authentik-secret AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: $PGPASS user: root secrets: - authentik-secret volumes: - /var/run/docker.sock:/var/run/docker.sock secrets: pg-authentik-password: external: true authentik-secret: external: true networks: traefik-public: external: true
This will create an authentik worker and server. Note the name authentik-server, for our traefik middleware we need to use the exact name that’s shown here. For your traefik server or whatever server you use to expose your sites, add a config similar to this. With this example this config for traefik will work without any modifications
http: routers: authentik: forwardAuth: address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik" trustForwardHeader: true authResponseHeaders: - X-authentik-username - X-authentik-groups - X-authentik-email - X-authentik-name - X-authentik-uid - X-authentik-jwt - X-authentik-meta-jwks - X-authentik-meta-outpost - X-authentik-meta-provider - X-authentik-meta-app - X-authentik-meta-version - authorization
In your traefik command key for your swarm deployment add this command
- —providers.file.filename=/etc/traefik/config.yaml # path to the file that you saved the above config for the forward auth
Kubernetes
The helm chart does simplify this for us quite a bit and will give us a redis and postgres server to use
# values/authentik.yaml resources: server: limits: memory: 1Gi requests: memory: 1Gi worker: limits: memory: 512Mi requests: memory: 512Mi image: repository: ghcr.io/goauthentik/server tag: "2023.10" pullPolicy: Always ingress: annotations: cert-manager.io/cluster-issuer: le-prod # your cert manager or w/e issuier you use kubernetes.io/ingress.class: traefik # traefik or nginx most likely traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" ingressClassName: traefik # traefik or nginx most likely enabled: true tls: - hosts: - auth.mydomain.com secretName: authentik-tls hosts: # Specify external host name - host: auth.mydomain.com paths: - path: "/" pathType: Prefix
All that’s left is to install with helm
helm repo add authentik https://charts.goauthentik.io helm repo update helm upgrade --install authentik authentik/authentik --values=.\values\authentik.yaml -n YOUR_NAMESPACE
Your first Authentik Provider
go to https://auth.mydomain.com or expose the service port and visit it directly. Adding a new service to authentik against is a 3 step process. Step one, create a provider.
In our case lets do sonarr.
- Name: Sonarr
- Authentication Flow: default
- Authorization Flow: Explicit to have the user confirm that they want to log in, implicit to have a user login without a prompt.
- Chose forward auth: external host = https://sonarr.mydomain.com
- Open advanced protocol and then add this under Unauthenticated paths. Its a general catch all to not have common api paths not blocked by authentik
^/graphql/.* ^/api/.* ^/api2/.* ^/identity/.* ^/triggers/.* ^/meshagents.* ^/meshsettings.* ^/agent.* ^/control.* ^/meshrelay.* ^/ui.* ^/feed.*
Under Authentication Settings under HTTPS-Base Username and Password Key, add in app_username and app_password like this. We will go into more detail later
Once you create this we need to associate it with an application. Create a new application and call it Sonarr
You should then see a button to link your application to your sonarr provider. Once you link it go to outposts. The outposts will allow us to attach this provider to the list of sites we can authenticate against. Edit the outposts and then make sure Sonarr is highlighted and then hit update
Final step
I did say it was 3 parts but there is one last step that needs to be done once. In order for you to use some of the Arr services you do need a username and password. If you already have one and are using the form based login option awesome! If you not do this real quick
- Go to your Sonarr settings -> General
- Under Security -> Authentication make sure its Basic (Browser Popup)
- Autnetication Required = enabled
- Add a username and password
To make your life easier, make all of your Arr apps the same one. You can make it a difficult password since Authentik will be passing it in with our requests so we don’t have to remember it after the initial setup.
Back to Authentik
- Go to Directory -> Groups and create a group. I named my Servarr Users
- Once created click edit under the roles section
- Under attributes add our app_username and app_password
- Finally go to Users and add your user that you want to use to this group. Anyone you want to give Sonarr or Arr access to needs to have this group attached to them
Closing
This is a bit rushed, feel free to email me if you get stuck. This literally took me days to a full week or two to get it dialed in exactly how I like to because the docs for authentik were so outdated