Preamble: I like running containers in my own infrastructure via docker-compose
. Through it you can easily define the properties of your containers and their relations to each other. Which makes maintenance and even migration much easier. Sure in a business environment (and if the application is suitable for it) you may be using a proper container orchestrator like Kubernetes, but Kubernetes comes with its own added complexity and even in a business environment you may not want to maintain your own Kubernetes cluster, but rather fall back to a managed environment. The following description assumes docker
and docker-compose
are already installed and their usage is familiar to the reader.
To motivate people to use your services one of the most important things is convenience of use. Therefore services should be available through easy to remember domain names and without forcing the user to remember separate user accounts between them. Therefore the first real production service within my new IT landscape is the identity provider Authentik.
Authentik is a very interesting project in my opinion, since it integrates a few functionalities into one package, that not only offers plenty of possibilities to integrate third party applications, but also provides a web based user portal and admin console (which even allows ui customization in an upgrade safe manner) and provides deployment instructions via docker-compose
and Kubernetes. In terms of integrating applications Authentik can:
- act as a Oauth 2.0/OpenID Provider for other applications
- act as a SAML Identity Provider
- integrates Traefik to reverse proxy applications, while adding authentication on the proxy layer
- works as an authentification gateway by offering “forward auth”
- can be used as an ldap server by applications
And on top of that the ldap and proxy “outposts” can be deployed multiple times to be closer to the applications that should use them.
The general setup is explained quite well in the official documentation but for my environment I have made a few small changes. Since I want my identity provider to be as mobile as possible I am running it behind a Cloudflare tunnel to be able to spin up a new instance pretty much anywhere in the world, even where it would otherwise not be publicly reachable. To achieve this I am running an instance of cloudflared in host mode via docker-compose. The token for the tunnel is stored inside of the .env
file along the configuration values of Authentik.
My docker-compose.tunnel.yaml
:
---
version: '3.4'
volumes:
cloudflared_certs:
driver: local
networks:
proxy:
external: true
internal:
external: false
services:
cloudflared:
image: cloudflare/cloudflared:latest
container_name: cloudflared
network_mode: "host"
restart: unless-stopped
command: tunnel --no-autoupdate run --token $CLOUDFLAREDTOKEN
The domain can be mapped through the Cloudflare Dashboard as a “Public Hostname” for the tunnel in question.
And last but not least backups are important as well. For this I am using the postgres-backup-local
container to create automated and rotated backups.
---
version: '3.4'
networks:
proxy:
external: true
internal:
external: false
services:
pgbackups:
container_name: Backup
image: prodrigestivill/postgres-backup-local
restart: always
volumes:
- ./backup:/backups
links:
- postgresql:postgresql
depends_on:
- postgresql
environment:
- POSTGRES_HOST=postgresql
- POSTGRES_DB=${PG_DB}
- POSTGRES_USER=${PG_USER}
- POSTGRES_PASSWORD=${PG_PASS}
- POSTGRES_EXTRA_OPTS=-Z9 --schema=public --blobs
- SCHEDULE=@every 12h00m00s
- BACKUP_KEEP_DAYS=7
- BACKUP_KEEP_WEEKS=4
- BACKUP_KEEP_MONTHS=6
- HEALTHCHECK_PORT=81
networks:
- internal
To start all of the above configuration the following is added to my .env
:
COMPOSE_FILE=docker-compose.yml:docker-compose.backup.yml:docker-compose.tunnel.yml
With these adjustments Authentik will be available via the chosen domain (https://auth.9wd.tech
in my case) and I can go to https://auth.9wd.tech/if/flow/initial-setup/
to set the password for the akadmin
user.
In the next blog I will show some of the configuration.
Hint: Do you need additional help? An always up to date configuration can be found in the private git repository. Become my sponsor on Github to get access to a private group chat and git repository.