Skip to main content

SOP: Install Authentik (Docker) on 10.10.8.131

Purpose

Deploy Authentik (SSO) on VM 10.10.8.131 using Docker Compose with a dedicated Postgres + Redis.

Scope

  • VM: 10.10.8.131
  • Runs:
    • authentik-server (port 9000)
    • authentik-worker
    • postgres:16
    • redis:7
  • Published as: https://auth.aurbotstem.com via Nginx Proxy Manager (NPM)

Architecture

  • Internet → Router NAT 80/443 → NPM (10.10.8.131) → proxy → Authentik (10.10.8.131:9000)
  • Authentik uses local containers for DB/cache.

Prereqs

  • Docker + Docker Compose installed on 10.10.8.131
  • DNS:
    • auth.aurbotstem.com A record → Public IP
  • NPM running on 10.10.8.131 (admin UI on http://10.10.8.131:81 LAN-only)

Inputs

  • VM IP: 10.10.8.131
  • Domain: auth.aurbotstem.com

Procedure

1) Create folders

mkdir -p ~/stack/authentik
cd ~/stack/authentik

2) Create secrets

PG_PASS="$(openssl rand -base64 36)"
AUTHENTIK_SECRET_KEY="$(openssl rand -base64 60)"

cat > .env <<EOF
PG_PASS=${PG_PASS}
AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
AUTHENTIK_ERROR_REPORTING__ENABLED=false
EOF

3) Create docker-compose.yml

cat > docker-compose.yml <<'YAML'
services:
  postgresql:
    image: postgres:16
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: ${PG_PASS}
      POSTGRES_USER: authentik
      POSTGRES_DB: authentik
    volumes:
      - ./pgdata:/var/lib/postgresql/data

  redis:
    image: redis:7-alpine
    restart: unless-stopped
    command: --save 60 1 --loglevel warning
    volumes:
      - ./redisdata:/data

  server:
    image: ghcr.io/goauthentik/server:2025.2.1
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_ERROR_REPORTING__ENABLED: ${AUTHENTIK_ERROR_REPORTING__ENABLED}
    depends_on: [postgresql, redis]
    ports:
      - "9000:9000"
    volumes:
      - ./media:/media
      - ./custom-templates:/templates

  worker:
    image: ghcr.io/goauthentik/server:2025.2.1
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_ERROR_REPORTING__ENABLED: ${AUTHENTIK_ERROR_REPORTING__ENABLED}
    depends_on: [postgresql, redis]
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
YAML

4) Start Authentik

docker compose up -d
docker compose ps

5) Verify locally

From LAN:

  • http://10.10.8.131:9000 → Authentik setup screen

6) Publish via NPM

In NPM (10.10.8.131:81) create Proxy Host:

  • Domain: auth.aurbotstem.com
  • Scheme: http
  • Forward Host: 10.10.8.131
  • Forward Port: 9000
  • SSL: Let’s Encrypt + Force SSL

Verification

  • curl -I http://10.10.8.131:9000 returns 200/302
  • https://auth.aurbotstem.com loads Authentik UI
  • Docker services running: docker compose ps

Rollback

cd ~/stack/authentik
docker compose down

(Optional) remove data:

rm -rf ~/stack/authentik

Troubleshooting

  • Check logs:
    • docker compose logs -f server
    • docker compose logs -f worker
  • Port in use:
    • sudo ss -lntp | grep ':9000'

References

Changelog

  • 2026-02-12: Initial SOP created.