Key Features
- SAML, OAuth2, OpenID Connect support
- LDAP and SCIM integration
- Visual flow designer for authentication
- Built-in application proxy & outposts
Prerequisites
Before starting, ensure you have:
Server Requirements
- • RamNode VPS with 2GB RAM minimum
- • 4GB RAM recommended for production
- • Ubuntu 24.04 LTS or Debian 12
- • Domain name pointed to your VPS
Recommended Specs
| Use Case | RAM | Storage |
|---|---|---|
| Small/Dev | 2 GB | 20 GB |
| Production | 4 GB | 40 GB |
| Enterprise | 8+ GB | 80+ GB |
Initial Server Setup
Update System & Install Packages
apt update && apt upgrade -y
apt install -y curl git pwgen apache2-utilsInstall Docker
Install Docker Engine
curl -fsSL https://get.docker.com | sh
systemctl enable --now dockerVerify Installation
docker --version
docker compose versionConfigure Firewall
Setup UFW Firewall
apt install -y ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 80/tcp
ufw allow 443/tcp
ufw enableCreate Directory Structure
Create Authentik Directories
mkdir -p /opt/authentik/{certs,media,templates,custom-templates}
cd /opt/authentikGenerate Secrets
Authentik requires a secret key and database password:
echo "PG_PASS=$(pwgen -s 40 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .envDocker Compose Configuration
Container Services Overview
| Service | Purpose |
|---|---|
| postgresql | PostgreSQL 16 database for persistent storage |
| redis | Session management and message queuing |
| server | Main web server handling HTTP requests |
| worker | Background task processor for async operations |
Environment Variables
Add these settings to your .env file:
AUTHENTIK_ERROR_REPORTING__ENABLED=false
AUTHENTIK_DISABLE_UPDATE_CHECK=false
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
COMPOSE_PROJECT_NAME=authentikSMTP Configuration (Optional)
AUTHENTIK_EMAIL__HOST=smtp.your-provider.com
AUTHENTIK_EMAIL__PORT=587
AUTHENTIK_EMAIL__USE_TLS=true
AUTHENTIK_EMAIL__FROM=authentik@yourdomain.comReverse Proxy with Caddy
Install Caddy
apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | \
gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
apt update && apt install caddy
systemctl enable caddyConfigure Caddyfile
Create /etc/caddy/Caddyfile with your domain:
auth.yourdomain.com {
reverse_proxy localhost:9000
header {
X-Content-Type-Options nosniff
X-Frame-Options DENY
Referrer-Policy strict-origin-when-cross-origin
}
encode gzip
}Launch Authentik
Start the Containers
cd /opt/authentik
docker compose pull
docker compose up -dMonitor Startup
docker compose logs -fℹ️ Wait until you see messages indicating the server is ready (typically 1-2 minutes on first launch).
Initial Configuration
Access the Setup Wizard
Navigate to https://auth.yourdomain.com/if/flow/initial-setup/ in your browser. This URL is only available during first-time setup.
Configure Basic Settings
After logging in to the admin interface:
- 1.Navigate to System → Settings and configure your installation title and branding
- 2.Under System → Tenants, update the default tenant with your domain
- 3.Review Events → Logs to verify everything started correctly
Security Hardening
Docker Socket Proxy
For production environments, consider using a Docker socket proxy (tecnativa/docker-socket-proxy) instead of mounting the socket directly.
Configure Fail2ban
apt install -y fail2banCreate Authentik Filter
Create /etc/fail2ban/filter.d/authentik.conf:
failregex = ^.* Failed login attempt .* remote=<HOST>.*$Create Jail Configuration
Create /etc/fail2ban/jail.d/authentik.conf:
[authentik]
enabled = true
maxretry = 5
bantime = 3600Backup Configuration
Automated Backup Script
Create a backup script at /opt/authentik/backup.sh that performs:
- • PostgreSQL database dump using pg_dump
- • Backup of media files, custom templates, and environment configuration
- • Automatic cleanup of backups older than 7 days
Schedule Daily Backups
0 3 * * * /opt/authentik/backup.sh >> /var/log/authentik-backup.log 2>&1Updating Authentik
Update Process
To update to a newer version:
- 1. Edit docker-compose.yml and update the image tag (e.g., 2024.10 to 2024.12)
- 2. Pull and restart containers
- 3. Clean up old images
docker compose pull && docker compose up -d
docker image prune -f⚠️ Important: Always review the release notes before upgrading, as some versions may require database migrations or configuration changes.
Troubleshooting
Check Container Status
docker compose ps
docker compose logs server --tail 100
docker compose logs worker --tail 100Verify Database Connectivity
docker compose exec postgresql psql -U authentik -c "SELECT version();"Test Redis Connection
docker compose exec redis redis-cli pingCommon Issues
| Issue | Solution |
|---|---|
| Memory issues | Use deploy.resources.limits.memory in compose file |
| Container restarts | Check logs for specific errors |
| Database errors | Verify PG_PASS in .env matches database |
Integrating Applications
Once Authentik is running, you can configure it as an identity provider for your other self-hosted applications. Common integrations include Gitea, Nextcloud, Grafana, and many others.
Each Application Requires:
- • Creating a new Provider in Authentik's admin interface
- • Creating an Application entry linked to the provider
- • Configuring the target application with the generated client credentials
📚 The Authentik documentation provides specific integration guides at docs.goauthentik.io/integrations/