9wd.tech - User identity and access - Part 1

Preamble: I like running containers in my own infrastructure via docker-compose. Through it you can easily define the properties of your containers and their relations to each other. Which makes maintenance and even migration much easier. Sure in a business environment (and if the application is suitable for it) you may be using a proper container orchestrator like Kubernetes, but Kubernetes comes with its own added complexity and even in a business environment you may not want to maintain your own Kubernetes cluster, but rather fall back to a managed environment. The following description assumes docker and docker-compose are already installed and their usage is familiar to the reader.

To motivate people to use your services one of the most important things is convenience of use. Therefore services should be available through easy to remember domain names and without forcing the user to remember separate user accounts between them. Therefore the first real production service within my new IT landscape is the identity provider Authentik.

Authentik is a very interesting project in my opinion, since it integrates a few functionalities into one package, that not only offers plenty of possibilities to integrate third party applications, but also provides a web based user portal and admin console (which even allows ui customization in an upgrade safe manner) and provides deployment instructions via docker-compose and Kubernetes. In terms of integrating applications Authentik can:

  • act as a Oauth 2.0/OpenID Provider for other applications
  • act as a SAML Identity Provider
  • integrates Traefik to reverse proxy applications, while adding authentication on the proxy layer
  • works as an authentification gateway by offering “forward auth”
  • can be used as an ldap server by applications

And on top of that the ldap and proxy “outposts” can be deployed multiple times to be closer to the applications that should use them.

The general setup is explained quite well in the official documentation but for my environment I have made a few small changes. Since I want my identity provider to be as mobile as possible I am running it behind a Cloudflare tunnel to be able to spin up a new instance pretty much anywhere in the world, even where it would otherwise not be publicly reachable. To achieve this I am running an instance of cloudflared in host mode via docker-compose. The token for the tunnel is stored inside of the .env file along the configuration values of Authentik.

My docker-compose.tunnel.yaml:

---
version: '3.4'

volumes:
  cloudflared_certs:
    driver: local

networks:
  proxy:
    external: true
  internal:
    external: false

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    network_mode: "host"
    restart: unless-stopped
    command: tunnel --no-autoupdate run --token $CLOUDFLAREDTOKEN

The domain can be mapped through the Cloudflare Dashboard as a “Public Hostname” for the tunnel in question.

And last but not least backups are important as well. For this I am using the postgres-backup-local container to create automated and rotated backups.

---
version: '3.4'

networks:
  proxy:
    external: true
  internal:
    external: false

services:
  pgbackups:
    container_name: Backup
    image: prodrigestivill/postgres-backup-local
    restart: always
    volumes:
      - ./backup:/backups
    links:
      - postgresql:postgresql
    depends_on:
      - postgresql
    environment:
      - POSTGRES_HOST=postgresql
      - POSTGRES_DB=${PG_DB} 
      - POSTGRES_USER=${PG_USER}
      - POSTGRES_PASSWORD=${PG_PASS}
      - POSTGRES_EXTRA_OPTS=-Z9 --schema=public --blobs
      - SCHEDULE=@every 12h00m00s
      - BACKUP_KEEP_DAYS=7
      - BACKUP_KEEP_WEEKS=4
      - BACKUP_KEEP_MONTHS=6
      - HEALTHCHECK_PORT=81
    networks:
      - internal

To start all of the above configuration the following is added to my .env:

COMPOSE_FILE=docker-compose.yml:docker-compose.backup.yml:docker-compose.tunnel.yml

With these adjustments Authentik will be available via the chosen domain (https://auth.9wd.tech in my case) and I can go to https://auth.9wd.tech/if/flow/initial-setup/ to set the password for the akadmin user.

In the next blog I will show some of the configuration.

Hint: Do you need additional help? An always up to date configuration can be found in the private git repository. Become my sponsor on Github to get access to a private group chat and git repository.