caprover
App Suggestion: [Authentik]
What is authentik?
authentik is an open-source Identity Provider focused on flexibility and versatility. You can use authentik in an existing environment to add support for new protocols, implement sign-up/recovery/etc. in your application so you don't have to deal with it, and many other things.
I've tried stabbing at it. I am not sure what I am missing. Here is my config:
captainVersion: 4
services:
$$cap_appname-postgresql:
image: docker.io/library/postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $$cap_POSTGRES_DB -U $$cap_POSTGRES_USER"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- $$cap_appname-postgresql-data:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: $$cap_POSTGRES_PASSWORD
POSTGRES_USER: $$cap_POSTGRES_USER
POSTGRES_DB: $$cap_POSTGRES_DB
caproverExtra:
notExposeAsWebApp: 'true'
$$cap_appname-redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- $$cap_appname-redis-data:/data
caproverExtra:
notExposeAsWebApp: 'true'
$$cap_appname:
image: ghcr.io/goauthentik/server:2023.10.2
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: srv-captain--$$cap_appname-redis
AUTHENTIK_POSTGRESQL__HOST: srv-captain--$$cap_appname-postgresql
AUTHENTIK_POSTGRESQL__USER: $$cap_POSTGRES_USER
AUTHENTIK_POSTGRESQL__NAME: $$cap_POSTGRES_DB
AUTHENTIK_SECRET_KEY: $$cap_AUTHENTIK_SECRET_KEY
AUTHENTIK_POSTGRESQL__PASSWORD: $$cap_POSTGRES_PASSWORD
volumes:
- $$cap_appname-data-media:/media
- $$cap_appname-data-templates:/templates
ports:
- "9000:9000"
- "9443:9443"
depends_on:
- $$cap_appname-postgresql
- $$cap_appname-redis
caproverExtra:
containerHttpPort: '9443'
$$cap_appname-worker:
image: ghcr.io/goauthentik/server:2023.10.2
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: srv-captain--$$cap_appname-redis
AUTHENTIK_POSTGRESQL__HOST: srv-captain--$$cap_appname-postgresql
AUTHENTIK_POSTGRESQL__USER: $$cap_POSTGRES_USER
AUTHENTIK_POSTGRESQL__NAME: $$cap_POSTGRES_DB
AUTHENTIK_SECRET_KEY: $$cap_AUTHENTIK_SECRET_KEY
AUTHENTIK_POSTGRESQL__PASSWORD: $$cap_POSTGRES_PASSWORD
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $$cap_appname-data-media:/media
- $$cap_appname-data-certs:/certs
- $$cap_appname-data-templates:/templates
depends_on:
- $$cap_appname-postgresql
- $$cap_appname-redis
caproverOneClickApp:
variables:
- id: $$cap_POSTGRES_USER
label: PostgreSQL User
defaultValue: username
- id: $$cap_POSTGRES_PASSWORD
label: PostgreSQL Password
description: 'Database password required'
defaultValue: password
- id: $$cap_POSTGRES_DB
label: PostgreSQL Database Name
defaultValue: database
- id: $$cap_AUTHENTIK_SECRET_KEY
label: Authentik secret key
defaultValue: password
- id: $$cap_appname_version
label: Go Authentik Version
defaultValue: '2023.10.2'
description: Check out their GitHub packages page for the valid tags https://github.com/gethomepage/homepage/releases
validRegex: /^([^\\s^\\/])+$/
instructions:
start: Just a plain Docker Compose.
end: Docker Compose is deployed.
displayName: GoAuthentik
isOfficial: true
description: GoAuthentik is an open-source authentication and identity provider.
documentation: https://github.com/gethomepage/homepage
here is the docker-compose: https://goauthentik.io/docs/installation/docker-compose
---
version: "3.4"
services:
postgresql:
image: docker.io/library/postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
env_file:
- .env
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ./media:/media
- ./custom-templates:/templates
env_file:
- .env
ports:
- "${COMPOSE_PORT_HTTP:-9000}:9000"
- "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
env_file:
- .env
depends_on:
- postgresql
- redis
volumes:
database:
driver: local
redis:
driver: local
Update:
command is now being used by CapRover.
OLD:
command field isn't used by CapRover, that's probably the cause:
https://github.com/caprover/one-click-apps?tab=readme-ov-file#services
As a workaround, you can use dockerfileLines, here is an example: https://github.com/caprover/one-click-apps/blob/381c647045cd08d55e48d45d7ce450a8b6405e2d/public/v4/apps/redis.yml#L9-L12
Here's the link to the working caprover version of Authentik: https://github.com/alex-gph1/one-click-apps/blob/master/public/v4/apps/caprover-authentik.yml
I found out that in caprover 1.12 you can use command. Though even before I was using before Service Update Override as a workaround.
@alex-gph1 do you mind submitting the template for 1 click app?
Not yet. I wasn't able to implement any authorization flow with Authentik. Until I can provide at least some guide on using it with Caprover, I see no point in submitting it.
For now I would say that Authentik and Zitadel are no-go for Caprover (for Zitadel I submitted bug report, with no any reply yet). However, you can make almost any authorization work like a charm by using Oauth2 Proxy with either Keycloak or Casdoor. Later on I might submit both bundled with Oauth2 Proxy for easy setup with Caprover.
I just want to one click install it, and then use it from within my app code. Are you saying that your example is not capable of doing that? I don't understand how this relates to oauth 2 proxy at all.
I just want to one click install it, and then use it from within my app code. Are you saying that your example is not capable of doing that? I don't understand how this relates to oauth 2 proxy at all.
Well, if you need it you can either use captain definition from the link above, or connect my repository and install it as a regular one-click app: https://raw.githubusercontent.com/alex-gph1/one-click-apps/master/dist
closing this in favor of https://github.com/caprover/one-click-apps/pull/1226
