authentik only randomly comes online

Stack only comes online randomly, and usually after I do 'docker-compose down' then 'docker-compose up -d' again.

Relevant info running on Ubuntu 22.04 VM on proxmox. right now I'm running version 2024.4.0

I can post more logs but when I tried to add the server logs it told me my post was too long Postgres Logs

authentik_postgresql  | The files belonging to this database system will be owned by user "postgres".
authentik_postgresql  | This user must also own the server process.
authentik_postgresql  | 
authentik_postgresql  | The database cluster will be initialized with locale "en_US.utf8".
authentik_postgresql  | The default database encoding has accordingly been set to "UTF8".
authentik_postgresql  | The default text search configuration will be set to "english".
authentik_postgresql  | 
authentik_postgresql  | Data page checksums are disabled.
authentik_postgresql  | 
authentik_postgresql  | fixing permissions on existing directory /var/lib/postgresql/data ... ok
authentik_postgresql  | creating subdirectories ... ok
authentik_postgresql  | selecting dynamic shared memory implementation ... posix
authentik_postgresql  | selecting default max_connections ... 100
authentik_postgresql  | selecting default shared_buffers ... 128MB
authentik_postgresql  | selecting default time zone ... UTC
authentik_postgresql  | creating configuration files ... ok
authentik_postgresql  | running bootstrap script ... ok
authentik_postgresql  | sh: locale: not found
authentik_postgresql  | 2024-09-22 12:43:34.402 UTC [36] WARNING:  no usable system locales were found
authentik_postgresql  | performing post-bootstrap initialization ... ok
authentik_postgresql  | syncing data to disk ... ok
authentik_postgresql  | 
authentik_postgresql  | 
authentik_postgresql  | Success. You can now start the database server using:
authentik_postgresql  | 
authentik_postgresql  |     pg_ctl -D /var/lib/postgresql/data -l logfile start
authentik_postgresql  | 
authentik_postgresql  | initdb: warning: enabling "trust" authentication for local connections
authentik_postgresql  | initdb: hint: You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb.
authentik_postgresql  | waiting for server to start....2024-09-22 12:43:34.832 UTC [42] LOG:  starting PostgreSQL 16.4 on x86_64-pc-linux-musl, compiled by gcc (Alpine 13.2.1_git20240309) 13.2.1 20240309, 64-bit
authentik_postgresql  | 2024-09-22 12:43:34.835 UTC [42] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
authentik_postgresql  | 2024-09-22 12:43:34.845 UTC [45] LOG:  database system was shut down at 2024-09-22 12:43:34 UTC
authentik_postgresql  | 2024-09-22 12:43:34.853 UTC [42] LOG:  database system is ready to accept connections
authentik_postgresql  |  done
authentik_postgresql  | server started
authentik_postgresql  | CREATE DATABASE
authentik_postgresql  | 
authentik_postgresql  | 
authentik_postgresql  | /usr/local/bin/docker-entrypoint.sh: ignoring /docker-entrypoint-initdb.d/*
authentik_postgresql  | 
authentik_postgresql  | waiting for server to shut down....2024-09-22 12:43:34.976 UTC [42] LOG:  received fast shutdown request
authentik_postgresql  | 2024-09-22 12:43:34.980 UTC [42] LOG:  aborting any active transactions
authentik_postgresql  | 2024-09-22 12:43:34.983 UTC [42] LOG:  background worker "logical replication launcher" (PID 48) exited with exit code 1
authentik_postgresql  | 2024-09-22 12:43:34.983 UTC [43] LOG:  shutting down
authentik_postgresql  | 2024-09-22 12:43:34.989 UTC [43] LOG:  checkpoint starting: shutdown immediate
authentik_postgresql  | 2024-09-22 12:43:35.060 UTC [43] LOG:  checkpoint complete: wrote 924 buffers (5.6%); 0 WAL file(s) added, 0 removed, 0 recycled; write=0.022 s, sync=0.030 s, total=0.077 s; sync files=301, longest=0.012 s, average=0.001 s; distance=4267 kB, estimate=4267 kB; lsn=0/191AB60, redo lsn=0/191AB60
authentik_postgresql  | 2024-09-22 12:43:35.065 UTC [42] LOG:  database system is shut down
authentik_postgresql  |  done
authentik_postgresql  | server stopped
authentik_postgresql  | 
authentik_postgresql  | PostgreSQL init process complete; ready for start up.
authentik_postgresql  | 
authentik_postgresql  | 2024-09-22 12:43:35.101 UTC [1] LOG:  starting PostgreSQL 16.4 on x86_64-pc-linux-musl, compiled by gcc (Alpine 13.2.1_git20240309) 13.2.1 20240309, 64-bit
authentik_postgresql  | 2024-09-22 12:43:35.101 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
authentik_postgresql  | 2024-09-22 12:43:35.101 UTC [1] LOG:  listening on IPv6 address "::", port 5432
authentik_postgresql  | 2024-09-22 12:43:35.111 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
authentik_postgresql  | 2024-09-22 12:43:35.119 UTC [58] LOG:  database system was shut down at 2024-09-22 12:43:35 UTC
authentik_postgresql  | 2024-09-22 12:43:35.125 UTC [1] LOG:  database system is ready to accept connections
authentik_postgresql  | 2024-09-22 12:43:35.545 UTC [63] WARNING:  there is already a transaction in progress
authentik_postgresql  | 2024-09-22 12:44:32.261 UTC [119] ERROR:  deadlock detected
authentik_postgresql  | 2024-09-22 12:44:32.261 UTC [119] DETAIL:  Process 119 waits for ShareLock on transaction 2473; blocked by process 121.
authentik_postgresql  |     Process 121 waits for ShareLock on transaction 2475; blocked by process 119.
authentik_postgresql  |     Process 119: INSERT INTO "authentik_flows_stage" ("stage_uuid", "name") VALUES ('65e07b080a3d4bbb9fa65ced912b4e07'::uuid, 'default-password-change-write')
authentik_postgresql  |     Process 121: INSERT INTO "authentik_flows_stage" ("stage_uuid", "name") VALUES ('583285c8241e42d1b46b7eb3f504b048'::uuid, 'default-authentication-login')
authentik_postgresql  | 2024-09-22 12:44:32.261 UTC [119] HINT:  See server log for query details.
authentik_postgresql  | 2024-09-22 12:44:32.261 UTC [119] CONTEXT:  while inserting index tuple (0,18) in relation "authentik_flows_stage_name_a2584620_uniq"
authentik_postgresql  | 2024-09-22 12:44:32.261 UTC [119] STATEMENT:  INSERT INTO "authentik_flows_stage" ("stage_uuid", "name") VALUES ('65e07b080a3d4bbb9fa65ced912b4e07'::uuid, 'default-password-change-write')
authentik_postgresql  | 2024-09-22 12:44:32.404 UTC [121] ERROR:  duplicate key value violates unique constraint "authentik_flows_flow_slug_key"
authentik_postgresql  | 2024-09-22 12:44:32.404 UTC [121] DETAIL:  Key (slug)=(default-password-change) already exists.
authentik_postgresql  | 2024-09-22 12:44:32.404 UTC [121] STATEMENT:  INSERT INTO "authentik_flows_flow" ("policybindingmodel_ptr_id", "flow_uuid", "name", "slug", "title", "layout", "designation", "background", "compatibility_mode", "denied_action", "authentication") VALUES ('b429567007ca4d7ea39baafa51f6776c'::uuid, 'ef4f6b63fbb34fa8b6053192a9a59910'::uuid, 'Change Password', 'default-password-change', 'Change password', 'stacked', 'stage_configuration', '', false, 'message_continue', 'require_authenticated')
authentik_postgresql  | 2024-09-22 12:44:32.405 UTC [121] ERROR:  current transaction is aborted, commands ignored until end of transaction block
authentik_postgresql  | 2024-09-22 12:44:32.405 UTC [121] STATEMENT:  SET search_path = 'public'
authentik_postgresql  | 2024-09-22 12:44:35.037 UTC [150] ERROR:  deadlock detected
authentik_postgresql  | 2024-09-22 12:44:35.037 UTC [150] DETAIL:  Process 150 waits for ShareLock on transaction 2564; blocked by process 152.
authentik_postgresql  |     Process 152 waits for ShareLock on transaction 2566; blocked by process 150.
authentik_postgresql  |     Process 150: UPDATE "authentik_flows_stage" SET "name" = 'default-password-change-write' WHERE "authentik_flows_stage"."stage_uuid" = '2d9500ed0ac542bca26062050e19cfde'::uuid
authentik_postgresql  |     Process 152: UPDATE "authentik_flows_stage" SET "name" = 'default-authentication-login' WHERE "authentik_flows_stage"."stage_uuid" = 'fb310239ef2d40fa819f551fcf774805'::uuid
authentik_postgresql  | 2024-09-22 12:44:35.037 UTC [150] HINT:  See server log for query details.
authentik_postgresql  | 2024-09-22 12:44:35.037 UTC [150] CONTEXT:  while updating tuple (0,80) in relation "authentik_flows_stage"
authentik_postgresql  | 2024-09-22 12:44:35.037 UTC [150] STATEMENT:  UPDATE "authentik_flows_stage" SET "name" = 'default-password-change-write' WHERE "authentik_flows_stage"."stage_uuid" = '2d9500ed0ac542bca26062050e19cfde'::uuid

**Version and Deployment (please complete the following information):**

Below is my  setup for the situation. I feel like I either have a typo of I just can't have the containers as my current docker user.

tree

```├── README.md
├── appdata
│   ├── authentik
│   │   ├── custom-templates
│   │   ├── geoip
│   │   │   └── data
│   │   │       ├── GeoLite2-ASN.mmdb
│   │   │       └── GeoLite2-City.mmdb
│   │   ├── media
│   │   │   └── public
│   │   ├── postgres
│   │   │   └── data  [error opening dir]
│   │   └── redis
│   │       └── data
│   │           └── dump.rdb
│   └── traefik
│       ├── config
│       │   └── traefik.yml
│       ├── data
│       │   └── acme.json
│       └── rules
│           ├── chain-no-auth.yaml
│           ├── middlewares-buffering.yaml
│           ├── middlewares-compress.yaml
│           ├── middlewares-https-redirectscheme.yaml
│           ├── middlewares-rate-limit.yaml
│           ├── middlewares-secure-headers.yaml
│           └── tls-opts.yaml
├── bringonline.sh
├── logs
│   └── traefik
│       └── traefik-container.log
├── my-compose
│   ├── authentik
│   │   └── compose.yaml
│   ├── compose.yml
│   ├── logs.txt
│   ├── traefik
│   │   └── compose.yaml
│   └── whoami
│       └── compose.yaml
├── secrets
│   ├── authentik_postgresql_db
│   ├── authentik_postgresql_password
│   ├── authentik_secret_key
│   ├── cf_dns_api_token
│   ├── cf_email
│   ├── geoip_account_id
│   ├── geoip_license_key
│   ├── gmail_smtp_password
│   ├── gmail_smtp_username
│   └── postgresql_user
└── startover.sh

authentik compose

# ------------------------------
# -- authentik (Identity Provider / SSO)
# -- Updated/Created 2024-July-02
# Authentik configuration: https://docs.goauthentik.io/docs/installation/configuration
# ------------------------------
name: authentik # Project Name

networks:
  traefik:
    external: true
  authentik-backend:
    name: authentik-backend
services:
  postgres-init:
    image: docker.io/library/postgres:16-alpine
    volumes:
      - "$DOCKERDIR/appdata/authentik/postgres/data:/var/lib/postgresql/data"
    entrypoint:
      - sh
      - -c
      - |
        chown -R ${PUID}:${PGID} /var/lib/postgresql/data
  authentik_postgresql:
      depends_on:
        postgres-init:
          condition: service_completed_successfully
      image: docker.io/library/postgres:16-alpine
      container_name: authentik_postgresql
      shm_size: 128mb # https://hub.docker.com/_/postgres
      restart: unless-stopped
      healthcheck:
        test: ["CMD-SHELL", "pg_isready -d authentik -U user"]
        start_period: 20s
        interval: 30s
        retries: 5
        timeout: 5s
      networks:
        - authentik-backend
      volumes:
        - "$DOCKERDIR/appdata/authentik/postgres/data:/var/lib/postgresql/data"
      secrets:
        - authentik_postgresql_db
      # Generate the password with openssl rand 36 | base64 -w 0
        - authentik_postgresql_password
        - postgresql_user
      environment:
        - POSTGRES_PASSWORD_FILE
        - POSTGRES_USER_FILE
        - POSTGRES_DB_FILE
  authentik_redis:
    image: docker.io/library/redis:alpine
    container_name: authentik_redis
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    networks:
      - authentik-backend
    volumes:
      - "$DOCKERDIR/appdata/authentik/redis/data:/data"

  # Use the embedded outpost (2021.8.1+) instead of the seperate Forward Auth / Proxy Provider container
  authentik-server:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_TAG:-2024.6.4}
    container_name: authentik-server
    restart: unless-stopped
    command: server && chown -R ${PUID}:${PGID} /media /templates /geoip
    user: ${PUID}:${PGID}
    depends_on:
      - authentik_postgresql
      - authentik_redis
    networks:
      - authentik-backend
      - traefik
    secrets:
      - authentik_postgresql_db
      - authentik_postgresql_password
      - authentik_secret_key
      - postgresql_user
    environment:
      - AUTHENTIK_REDIS__HOST
      - AUTHENTIK_POSTGRESQL__HOST
      - AUTHENTIK_POSTGRESQL__NAME
      - AUTHENTIK_POSTGRESQL__USER
      - AUTHENTIK_POSTGRESQL__PASSWORD
      - AUTHENTIK_DISABLE_STARTUP_ANALYTICS
      - AUTHENTIK_DISABLE_UPDATE_CHECK
      - AUTHENTIK_ERROR_REPORTING__ENABLED
      - AUTHENTIK_LOG_LEVEL
      - AUTHENTIK_SECRET_KEY
      - AUTHENTIK_COOKIE_DOMAIN
      - AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS 
    volumes:
      - "$DOCKERDIR/appdata/authentik/media:/media"
      - "$DOCKERDIR/appdata/authentik/custom-templates:/templates"
      - "$DOCKERDIR/appdata/authentik/geoip/data:/geoip"
    labels:
      - "traefik.enable=true"
      ### routers for authentik landing page
      - "traefik.http.routers.authentik-rtr.rule=Host(`authentik.${DOMAINNAME}`)"
      - "traefik.http.routers.authentik-rtr.service=authentik-svc"
      - "traefik.http.routers.authentik-rtr.entrypoints=https"
      - "traefik.http.routers.authentik-rtr.tls=true"
      - "traefik.http.routers.authentik-rtr.tls.certresolver=cloudflare"
      - "traefik.http.services.authentik-svc.loadBalancer.server.port=9000"

      ### routers for single auth redirect
      - "traefik.http.routers.authentik-rtr-outpost.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${DOMAINNAME}`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.port=9000"
      # `authentik-proxy` refers to the service name in the compose file.
      - "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"

  authentik_worker:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_TAG:-2024.6.4}
    container_name: authentik_worker
    restart: unless-stopped
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: ${PUID}:${PGID}
    command: worker
    depends_on:
      - authentik_postgresql
      - authentik_redis
    networks:
      - authentik-backend
    secrets:
      - authentik_postgresql_db
      - authentik_postgresql_password
      - authentik_secret_key
      - gmail_smtp_username
      - gmail_smtp_password
      - postgresql_user
    environment:
      # - DOCKER_HOST
      - AUTHENTIK_REDIS__HOST
      - AUTHENTIK_POSTGRESQL__HOST
      - AUTHENTIK_POSTGRESQL__NAME
      - AUTHENTIK_POSTGRESQL__USER
      - AUTHENTIK_POSTGRESQL__PASSWORD
      - AUTHENTIK_DISABLE_STARTUP_ANALYTICS
      - AUTHENTIK_DISABLE_UPDATE_CHECK
      - AUTHENTIK_ERROR_REPORTING__ENABLED
      - AUTHENTIK_SECRET_KEY
      - AUTHENTIK_COOKIE_DOMAIN
      - AUTHENTIK_LOG_LEVEL
      - AUTHENTIK_EMAIL__HOST
      - AUTHENTIK_EMAIL__PORT
      - AUTHENTIK_EMAIL__USERNAME
      - AUTHENTIK_EMAIL__PASSWORD
      - AUTHENTIK_EMAIL__USE_TLS
      - AUTHENTIK_EMAIL__USE_SSL
      - AUTHENTIK_EMAIL__TIMEOUT
      - AUTHENTIK_EMAIL__FROM
    volumes:
      - "$DOCKERDIR/appdata/authentik/media:/media"
      - "$DOCKERDIR/appdata/authentik/custom-templates:/templates"
      - "$DOCKERDIR/appdata/authentik/geoip/data:/geoip"
      - /var/run/docker.sock:/var/run/docker.sock # Uncomment if NOT using socket-proxy

  geoipupdate:
    image: ghcr.io/maxmind/geoipupdate:latest
    container_name: geoipupdate
    restart: unless-stopped
    user:  ${PUID}:${PGID}
    volumes:
      - "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP"
    networks:
      - authentik-backend
    secrets:
      - geoip_account_id
      - geoip_license_key
    environment:
      - GEOIPUPDATE_EDITION_IDS
      - GEOIPUPDATE_FREQUENCY
      - GEOIPUPDATE_ACCOUNT_ID_FILE
      - GEOIPUPDATE_LICENSE_KEY_FILE

traefik compose

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik
    command: --configfile=/etc/traefik/traefik.yml
    ports:
      - 80:80
      - 443:443/tcp
      # - 443:443/udp # Uncomment if you want HTTP3
    environment:
      - CF_DNS_API_TOKEN_FILE
      # CF_DNS_API_TOKEN: /run/secrets/cf_dns_api_token # if using .env
      # - TRAEFIK_DASHBOARD_CREDENTIALS
    secrets:
      - cf_dns_api_token
      # - traefik_creds
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "${DOCKERDIR}/appdata/traefik/data/acme.json:/acme.json"
      - "${DOCKERDIR}/appdata/traefik/config/traefik.yml:/etc/traefik/traefik.yml"
      # - "${DOCKERDIR}/secrets/usersfile:/opt/sso/secrets/usersfile"
      - "${DOCKERDIR}/appdata/traefik/rules:/rules"
      - "${DOCKERDIR}/logs/traefik:/logs"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAINNAME}`)"
      # - "traefik.http.middlewares.traefik-auth.basicauth.usersfile=/opt/sso/secrets/usersfile"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.${DOMAINNAME}`)"
      # - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=${DOMAINNAME}"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${DOMAINNAME}"
      - "traefik.http.routers.traefik-secure.service=api@internal"

whoami compose

# ------------------------------  
# -- whoami (traefik)
# -- Updated 2024-June-04
# ------------------------------
name: whoami # Project Name
services:
  whoami:
    image: traefik/whoami:latest
    container_name: whoami
    restart: unless-stopped
    security_opt:
      - no-new-privileges=true
    depends_on:
      - traefik
    networks:
      - traefik
    environment:
      - TZ=${TZ}
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAINNAME}`)"
      - "traefik.http.routers.whoami.middlewares=authentik@docker"

base compose

###############################################################
# Networks
###############################################################
networks:
  traefik:
    external: true
    # ipam:
    #   config:
    #     - subnet: 10.255.224.0/20

###############################################################
# Docker Secrets
# Owner (default): root:root
# Recommend Set Owner to match container user Example: UID=1100, GID=1100
# Permissions of files & directory on host to: 0400 (-r--)
###############################################################
secrets:
  ## Cloudflare / Traefik
  cf_email:
    file: ${DOCKERDIR}/secrets/cf_email
  cf_dns_api_token:
    file: ${DOCKERDIR}/secrets/cf_dns_api_token
  ## Authentik
  authentik_postgresql_db:
    file: ${DOCKERDIR}/secrets/authentik_postgresql_db
  authentik_postgresql_password:
    file: ${DOCKERDIR}/secrets/authentik_postgresql_password
  authentik_secret_key:
    file: ${DOCKERDIR}/secrets/authentik_secret_key
  gmail_smtp_username:
    file: ${DOCKERDIR}/secrets/gmail_smtp_username
  gmail_smtp_password:
    file: ${DOCKERDIR}/secrets/gmail_smtp_password
  ## GeoIP
  geoip_account_id:
    file: ${DOCKERDIR}/secrets/geoip_account_id
  geoip_license_key:
    file: ${DOCKERDIR}/secrets/geoip_license_key
  traefik_creds:
    file: ${DOCKERDIR}/secrets/traefik_creds
  postgresql_user:
    file: ${DOCKERDIR}/secrets/postgresql_user

###############################################################
# Include
# Merge all of the below compose files into one large compose at run time
# Thanks to Anand (SmartHomeBeginner), this is clean!
###############################################################
include:
  - ${DOCKERDIR}/my-compose/traefik/compose.yaml
  - ${DOCKERDIR}/my-compose/authentik/compose.yaml
  - ${DOCKERDIR}/my-compose/whoami/compose.yaml

.env

################################################################
# .env
# When both env and environment are set for a service, values set by environment have precedence.
# https://docs.docker.com/compose/environment-variables/envvars-precedence/
#
# CANNOT MIX ARRAYS (KEY: VAL) AND MAPS (KEY=VAL)
# Ex: Cannot have .ENV var as TZ=US and then a var here as DB_ENGINE: sqlite, has to be DB_ENGINE=sqlite
# Otherwise unexpected type map[string]interface {} occurs
# https://github.com/docker/compose/issues/11567
#
################################################################
DOCKERDIR=/opt/sso
PUID=1000
PGID=1000
TZ=America/New_York
DOMAINNAME=mydomain.tld

################################################################  
#################### Traefik 3 - June 2024 #####################
# Cloudflare IPs (IPv4 and/or IPv6): https://www.cloudflare.com/ips/
################################################################  
CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22
LOCAL_IPS=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
TRAEFIK_DASHBOARD_CREDENTIALS=/run/secrets/traefik_creds
CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token
################################################################  
# Authentik (https://docs.goauthentik.io/docs/)
# Environment Variables (https://docs.goauthentik.io/docs/installation/configuration)
################################################################  
POSTGRES_PASSWORD_FILE=/run/secrets/authentik_postgresql_password
POSTGRES_USER_FILE=/run/secrets/postgresql_user
POSTGRES_DB_FILE=/run/secrets/authentik_postgresql_db
AUTHENTIK_REDIS__HOST=authentik_redis
AUTHENTIK_POSTGRESQL__HOST=authentik_postgresql
AUTHENTIK_POSTGRESQL__NAME=file:///run/secrets/authentik_postgresql_db
AUTHENTIK_POSTGRESQL__USER=file:///run/secrets/postgresql_user
AUTHENTIK_POSTGRESQL__PASSWORD=file:///run/secrets/authentik_postgresql_password
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
AUTHENTIK_DISABLE_UPDATE_CHECK=false
AUTHENTIK_ERROR_REPORTING__ENABLED=false
AUTHENTIK_LOG_LEVEL=trace # debug, info, warning, error, trace
AUTHENTIK_SECRET_KEY=file:///run/secrets/authentik_secret_key # openssl rand 60 | base64 -w 0
AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
AUTHENTIK_TAG=2024.4.0
# AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: CHANGEME_IFAPPLICABLE # Defaults to all of: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fe80::/10, ::1/128
# DOCKER_HOST=tcp://socket-proxy:2375 # Use this if you have Socket Proxy enabled.
AUTHENTIK_EMAIL__HOST=smtp.gmail.com
AUTHENTIK_EMAIL__PORT=587
AUTHENTIK_EMAIL__USERNAME=file:///run/secrets/gmail_smtp_username
AUTHENTIK_EMAIL__PASSWORD=file:///run/secrets/gmail_smtp_password
AUTHENTIK_EMAIL__USE_TLS=false
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
AUTHENTIK_EMAIL__FROM=file:///run/secrets/gmail_smtp_username

################################################################  
# GeoIP ( https://github.com/maxmind/geoipupdate)  
# Environment Variables (https://github.com/maxmind/geoipupdate/blob/main/doc/docker.md)  
################################################################  
GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" # Space seperated 
GEOIPUPDATE_FREQUENCY=8 # Frequency to check for updates, in hours
GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_account_id
GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key

my little script to bring it online because I have been doing it some my times I have automated it

#!/bin/bash

###########################################################################################
## This is create the needed directories with the correct file permissions.
## Make sure this is run as the docker user that is set in the compose.yaml files. If this
## is run as root the directories will be created as root and the stack will fail.
###########################################################################################

BASE_DIR='/opt/sso' #Set the base directory you stack is in

directories=("${BASE_DIR}/appdata/authentik/redis/data" "${BASE_DIR}/appdata/authentik/postgres/data" "${BASE_DIR}/appdata/authentik/media" "${BASE_DIR}/appdata/authentik/custom-templates" "${BASE_DIR}/appdata/authentik/geoip/data" "${BASE_DIR}/secrets")

for directory in "${directories[@]}";
do
  mkdir -v -p $directory
done

###################################################################################
## This will create the secrets needed. Make sure to change the Var to what you need.
## These are the Var that you will need to set.
##
##
## $EMAIL # I am using the same email for my cloudflare and authentik email stmp
## $CF_TOKEN  # used to get certs from traefik. will need cloudflare account
## $AUTHENTIK_DB_NAME # can be alhpabet you want
## $AUTHENTIK_USER # can be alphabet you want
## $GMAIL_PW # PW for gmail account, if you have 2FA you will need to generate an app password. https://support.google.com/mail/answer/185833?hl=en
## $GEOPIP_ID # Geoip account ID
## $GEOIP_KEY # Geoip account Key Go to https://dev.maxmind.com/geoip/geolite2-free-geolocation-data in order to generate a free license key (https://www.maxmind.com/en/accounts/current/license-key) for use.
###################################################################################
SECRET_LOCATION='/opt/sso/secrets'
EMAIL='myemail@gmail.com'
AUTHENTIK_DB_NAME='authentik'
AUTHENTIK_USER='user'
GMAIL_PW='superSecretPassword'
GEOIP_ID='123456789'
GEOIP_KEY='some ID'
CF_TOKEN='some token'

## put vars intoSECRET location
echo -n ${EMAIL} > ${SECRET_LOCATION}/cf_email
echo -n ${CF_TOKEN} > ${SECRET_LOCATION}/cf_dns_api_token
echo -n ${AUTHENTIK_DB_NAME} > ${SECRET_LOCATION}/authentik_postgresql_db
echo -n ${AUTHENTIK_USER} > ${SECRET_LOCATION}/postgresql_user
echo -n ${EMAIL} > ${SECRET_LOCATION}/gmail_smtp_username
echo -n ${GMAIL_PW} > ${SECRET_LOCATION}/gmail_smtp_password
echo -n ${GEOIP_ID} > ${SECRET_LOCATION}/geoip_account_id
echo -n ${GEOIP_KEY} > ${SECRET_LOCATION}/geoip_license_key
openssl rand 36 | base64 -w 0 > ${SECRET_LOCATION}/authentik_postgresql_password
openssl rand 60 | base64 -w 0 > ${SECRET_LOCATION}/authentik_secret_key

## make secrets read only by owner

SECRETDIRECTORY=("${SECRET_LOCATION}/cf_email" "${SECRET_LOCATION}/cf_dns_api_token" "${SECRET_LOCATION}/authentik_postgresql_db" "${SECRET_LOCATION}/postgresql_user" "${SECRET_LOCATION}/gmail_smtp_username" "${SECRET_LOCATION}/gmail_smtp_password" "${SECRET_LOCATION}/geoip_account_id" "${SECRET_LOCATION}/geoip_license_key" "${SECRET_LOCATION}/authentik_postgresql_password" "${SECRET_LOCATION}/authentik_secret_key")

for SECRETDIRECTORIES in "${SECRETDIRECTORY[@]}";
do
  chmod -R 0400 $SECRETDIRECTORIES
done
## bring stack online
docker network create traefik
docker-compose -f /opt/sso/my-compose/compose.yml build
docker-compose -f /opt/sso/my-compose/compose.yml up -d --force-recreate

goauthentik / authentik

authentik only randomly comes online #11468