App Suggestion: [Authentik]

[wajeht]

What is authentik?

authentik is an open-source Identity Provider focused on flexibility and versatility. You can use authentik in an existing environment to add support for new protocols, implement sign-up/recovery/etc. in your application so you don't have to deal with it, and many other things.

I've tried stabbing at it. I am not sure what I am missing. Here is my config:

captainVersion: 4
services:
  $$cap_appname-postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $$cap_POSTGRES_DB -U $$cap_POSTGRES_USER"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - $$cap_appname-postgresql-data:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: $$cap_POSTGRES_PASSWORD
      POSTGRES_USER: $$cap_POSTGRES_USER
      POSTGRES_DB: $$cap_POSTGRES_DB
    caproverExtra:
      notExposeAsWebApp: 'true'

  $$cap_appname-redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - $$cap_appname-redis-data:/data
    caproverExtra:
      notExposeAsWebApp: 'true'

  $$cap_appname:
    image: ghcr.io/goauthentik/server:2023.10.2
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: srv-captain--$$cap_appname-redis
      AUTHENTIK_POSTGRESQL__HOST: srv-captain--$$cap_appname-postgresql
      AUTHENTIK_POSTGRESQL__USER: $$cap_POSTGRES_USER
      AUTHENTIK_POSTGRESQL__NAME: $$cap_POSTGRES_DB
      AUTHENTIK_SECRET_KEY: $$cap_AUTHENTIK_SECRET_KEY
      AUTHENTIK_POSTGRESQL__PASSWORD: $$cap_POSTGRES_PASSWORD
    volumes:
      - $$cap_appname-data-media:/media
      - $$cap_appname-data-templates:/templates
    ports:
      - "9000:9000"
      - "9443:9443"
    depends_on:
      - $$cap_appname-postgresql
      - $$cap_appname-redis
    caproverExtra:
      containerHttpPort: '9443'

  $$cap_appname-worker:
    image: ghcr.io/goauthentik/server:2023.10.2
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: srv-captain--$$cap_appname-redis
      AUTHENTIK_POSTGRESQL__HOST: srv-captain--$$cap_appname-postgresql
      AUTHENTIK_POSTGRESQL__USER: $$cap_POSTGRES_USER
      AUTHENTIK_POSTGRESQL__NAME: $$cap_POSTGRES_DB
      AUTHENTIK_SECRET_KEY: $$cap_AUTHENTIK_SECRET_KEY
      AUTHENTIK_POSTGRESQL__PASSWORD: $$cap_POSTGRES_PASSWORD
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - $$cap_appname-data-media:/media
      - $$cap_appname-data-certs:/certs
      - $$cap_appname-data-templates:/templates
    depends_on:
      - $$cap_appname-postgresql
      - $$cap_appname-redis

caproverOneClickApp:
  variables:
    - id: $$cap_POSTGRES_USER
      label: PostgreSQL User
      defaultValue: username
    - id: $$cap_POSTGRES_PASSWORD
      label: PostgreSQL Password
      description: 'Database password required'
      defaultValue: password
    - id: $$cap_POSTGRES_DB
      label: PostgreSQL Database Name
      defaultValue: database
    - id: $$cap_AUTHENTIK_SECRET_KEY
      label: Authentik secret key
      defaultValue: password
    - id: $$cap_appname_version
      label: Go Authentik Version
      defaultValue: '2023.10.2'
      description: Check out their GitHub packages page for the valid tags https://github.com/gethomepage/homepage/releases
      validRegex: /^([^\\s^\\/])+$/

  instructions:
    start: Just a plain Docker Compose.
    end: Docker Compose is deployed.

displayName: GoAuthentik
isOfficial: true
description: GoAuthentik is an open-source authentication and identity provider.
documentation: https://github.com/gethomepage/homepage

here is the docker-compose: https://goauthentik.io/docs/installation/docker-compose

---
version: "3.4"

services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis

volumes:
  database:
    driver: local
  redis:
    driver: local

[githubsaturn]

command field isn't used by CapRover, that's probably the cause: https://github.com/caprover/one-click-apps?tab=readme-ov-file#services

As a workaround, you can use dockerfileLines, here is an example: https://github.com/caprover/one-click-apps/blob/381c647045cd08d55e48d45d7ce450a8b6405e2d/public/v4/apps/redis.yml#L9-L12

[alex-gph1]

Here's the link to the working caprover version of Authentik: https://github.com/alex-gph1/one-click-apps/blob/master/public/v4/apps/caprover-authentik.yml

I found out that in caprover 1.12 you can use command. Though even before I was using before Service Update Override as a workaround.

[wajeht]

@alex-gph1 do you mind submitting the template for 1 click app?

[alex-gph1]

@alex-gph1 do you mind submitting the template for 1 click app?

Not yet. I wasn't able to implement any authorization flow with Authentik. Until I can provide at least some guide on using it with Caprover, I see no point in submitting it.

For now I would say that Authentik and Zitadel are no-go for Caprover (for Zitadel I submitted bug report, with no any reply yet). However, you can make almost any authorization work like a charm by using Oauth2 Proxy with either Keycloak or Casdoor. Later on I might submit both bundled with Oauth2 Proxy for easy setup with Caprover.