# Authentik - Identity Provider / SSO # Docs: https://docs.goauthentik.io/ # Deployed to: Calypso (DS723+) # Domain: sso.vish.gg # # DISASTER RECOVERY: # - Database: /volume1/docker/authentik/database (PostgreSQL) # - Media: /volume1/docker/authentik/media (uploaded files, icons) # - Certs: /volume1/docker/authentik/certs (custom certificates) # - Templates: /volume1/docker/authentik/templates (custom email templates) # # INITIAL SETUP: # 1. Deploy stack via Portainer # 2. Access https://sso.vish.gg/if/flow/initial-setup/ # 3. Create admin account (akadmin) # 4. Configure providers for each service version: '3.8' services: authentik-db: image: docker.io/library/postgres:16-alpine container_name: Authentik-DB restart: unless-stopped healthcheck: test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] start_period: 20s interval: 30s retries: 5 timeout: 5s volumes: - /volume1/docker/authentik/database:/var/lib/postgresql/data environment: POSTGRES_PASSWORD: "REDACTED_PASSWORD" POSTGRES_USER: authentik POSTGRES_DB: authentik authentik-redis: image: docker.io/library/redis:alpine container_name: Authentik-REDIS command: --save 60 1 --loglevel warning restart: unless-stopped healthcheck: test: ["CMD-SHELL", "redis-cli ping | grep PONG"] start_period: 20s interval: 30s retries: 5 timeout: 3s volumes: - /volume1/docker/authentik/redis:/data authentik-server: image: ghcr.io/goauthentik/server:2026.2.1 container_name: Authentik-SERVER restart: unless-stopped command: server environment: AUTHENTIK_SECRET_KEY: "REDACTED_SECRET_KEY" AUTHENTIK_REDIS__HOST: authentik-redis AUTHENTIK_POSTGRESQL__HOST: authentik-db AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: "REDACTED_PASSWORD" # Email configuration (Gmail) AUTHENTIK_EMAIL__HOST: smtp.gmail.com AUTHENTIK_EMAIL__PORT: 587 AUTHENTIK_EMAIL__USERNAME: your-email@example.com AUTHENTIK_EMAIL__PASSWORD: "REDACTED_PASSWORD" # pragma: allowlist secret AUTHENTIK_EMAIL__USE_TLS: "true" AUTHENTIK_EMAIL__FROM: sso@vish.gg volumes: - /volume1/docker/authentik/media:/media - /volume1/docker/authentik/templates:/templates ports: - "9000:9000" # HTTP - "9443:9443" # HTTPS depends_on: authentik-db: condition: service_healthy authentik-redis: condition: service_healthy authentik-worker: image: ghcr.io/goauthentik/server:2026.2.1 container_name: Authentik-WORKER restart: unless-stopped command: worker environment: AUTHENTIK_SECRET_KEY: "REDACTED_SECRET_KEY" AUTHENTIK_REDIS__HOST: authentik-redis AUTHENTIK_POSTGRESQL__HOST: authentik-db AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: "REDACTED_PASSWORD" # Email configuration (Gmail) AUTHENTIK_EMAIL__HOST: smtp.gmail.com AUTHENTIK_EMAIL__PORT: 587 AUTHENTIK_EMAIL__USERNAME: your-email@example.com AUTHENTIK_EMAIL__PASSWORD: "REDACTED_PASSWORD" # pragma: allowlist secret AUTHENTIK_EMAIL__USE_TLS: "true" AUTHENTIK_EMAIL__FROM: sso@vish.gg # This is optional, and can be removed. If you remove this, the following will happen # - The permissions for the /media folders aren't fixed, so make sure they are 1000:1000 # - The docker socket can't be accessed anymore user: root volumes: - /var/run/docker.sock:/var/run/docker.sock - /volume1/docker/authentik/media:/media - /volume1/docker/authentik/certs:/certs - /volume1/docker/authentik/templates:/templates depends_on: authentik-db: condition: service_healthy authentik-redis: condition: service_healthy