From c2073dfafbc6f993db3060fec471ee81dd712570 Mon Sep 17 00:00:00 2001
From: Hayden Liu <hayden0828@gmail.com>
Date: Sat, 7 Feb 2026 01:33:25 +0800
Subject: [PATCH] Authentik

---
 README.md                    |  16 ++++++
 authentik/docker-compose.yml | 106 +++++++++++++++++++++++++++++++++++
 dua.env                      |   2 +
 portainer/docker-compose.yml |   4 +-
 traefik/docker-compose.yml   |   8 +--
 5 files changed, 130 insertions(+), 6 deletions(-)
 create mode 100644 authentik/docker-compose.yml
 create mode 100644 dua.env

diff --git a/README.md b/README.md
index dcbefc7..5f63307 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,18 @@
 # dua
 
+PG_PASS
+dZ/j3/DRqh1gnd7+8dPnd8TvbfTGjT5Su38LrEvItXmrd9PQ
+AUTHENTIK_SECRET_KEY
+KsvhQHhm72Sa5sZ37VQGn54rnzB8aZ++5xp8erxaxy4HFIR2t2YOfEwpzt3BPvzPP8HMik4J1675I442
+AUTHENTIK_ERROR_REPORTING__ENABLED
+true
+COMPOSE_PORT_HTTP
+8087
+COMPOSE_PORT_HTTPS
+8088
+
+''
+networks:
+  traefik_proxy:
+    external: true
+''
\ No newline at end of file
diff --git a/authentik/docker-compose.yml b/authentik/docker-compose.yml
new file mode 100644
index 0000000..c959e3c
--- /dev/null
+++ b/authentik/docker-compose.yml
@@ -0,0 +1,106 @@
+services:
+  postgresql:
+    image: docker.io/library/postgres:16-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - /mnt/docker-storage/authentik/database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
+      POSTGRES_USER: ${PG_USER:-authentik}
+      POSTGRES_DB: ${PG_DB:-authentik}
+
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - /mnt/docker-storage/authentik/redis:/data
+
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.0}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+      AUTHENTIK_ERROR_REPORTING__ENABLED: ${AUTHENTIK_ERROR_REPORTING__ENABLED}
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    volumes:
+      - /mnt/docker-storage/authentik/media:/media
+      - /mnt/docker-storage/authentik/custom-templates:/templates
+    ports:
+      - "${COMPOSE_PORT_HTTP:-9000}:9000"
+      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+    network:
+      - traefik_proxy
+      - default
+    depends_on:
+      - postgresql
+      - redis
+    deploy:
+      labels:
+        - homepage.group=Management
+        - homepage.name=Authentik
+        - homepage.icon=sh-authentik-light
+        - homepage.href=https://auth.$(HOSTNAME)/
+        - homepage.description=Open-source Identity Provider
+        - homepage.widget.type=authentik
+        - homepage.widget.url=http://auth.$(HOSTNAME_LOCAL)/
+        - homepage.widget.key=hJL6cDzzaeN6olr2MJoYkVNDTgfihufib1TWEw0GxjjoIgy9LuYVF4FZjsMX
+
+        - "traefik.enable=true"
+        - "traefik.http.routers.authentik.rule=Host(`auth.$(HOSTNAME_LOCAL)`)"
+        - "traefik.http.routers.authentik.entrypoints=websecure"
+        - "traefik.http.routers.authentik.tls=true"
+        - "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
+        - "traefik.http.services.authentik.loadbalancer.server.port=9443"
+        - "traefik.http.services.authentik.loadbalancer.server.scheme=https"
+    env_file:
+      - path: ../dua.env
+
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.0}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+      AUTHENTIK_ERROR_REPORTING__ENABLED: ${AUTHENTIK_ERROR_REPORTING__ENABLED}
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /mnt/docker-storage/authentik/media:/media
+      - /mnt/docker-storage/authentik/certs:/certs
+      - /mnt/docker-storage/authentik/custom-templates:/templates
+    depends_on:
+      - postgresql
+      - redis
+
+networks:
+  traefik_proxy:
+    external: true
diff --git a/dua.env b/dua.env
new file mode 100644
index 0000000..db2a5e3
--- /dev/null
+++ b/dua.env
@@ -0,0 +1,2 @@
+HOSTNAME=dua.casa
+HOSTNAME_LOCAL=apps.dua.casa
diff --git a/portainer/docker-compose.yml b/portainer/docker-compose.yml
index 7f87df6..acf099e 100644
--- a/portainer/docker-compose.yml
+++ b/portainer/docker-compose.yml
@@ -39,12 +39,12 @@ services:
         - homepage.href=https://portainer.dua.casa/
         - homepage.description=Portainer is a universal container management platform.
         - homepage.widget.type=portainer
-        - homepage.widget.url=https://portainer.apps.dua.casa/
+        - homepage.widget.url=https://portainer.dua.casa/
         - homepage.widget.env=1
         - homepage.widget.key=ptr_2Paj0QMqSY3QE4xGMdxnsncsw8qIBBnflLNtxRZz1a8=
 
         - "traefik.enable=true"
-        - "traefik.http.routers.portainer.rule=Host(`portainer.apps.dua.casa`)"
+        - "traefik.http.routers.portainer.rule=Host(`portainer.dua.casa`)"
         - "traefik.http.routers.portainer.entrypoints=websecure"
         - "traefik.http.routers.portainer.tls=true"
         - "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml
index b84bb63..34a73cb 100644
--- a/traefik/docker-compose.yml
+++ b/traefik/docker-compose.yml
@@ -87,7 +87,7 @@ services:
         - "traefik.enable=true"
 
         # Dashboard router
-        - "traefik.http.routers.traefik.rule=Host(`traefik.apps.dua.casa`)"
+        - "traefik.http.routers.traefik.rule=Host(`traefik.dua.casa`)"
         - "traefik.http.routers.traefik.entrypoints=websecure"
         - "traefik.http.routers.traefik.service=api@internal"
         - "traefik.http.routers.traefik.tls=true"
@@ -101,7 +101,7 @@ services:
         - "traefik.http.services.traefik.loadbalancer.server.port=8080"
 
         # CERT router
-        - "traefik.http.routers.cert.rule=HostRegexp(`{subdomain:.+}.apps.dua.casa`)"
+        - "traefik.http.routers.cert.rule=HostRegexp(`{subdomain:.+}.dua.casa`)"
         - "traefik.http.routers.cert.entrypoints=websecure"
         - "traefik.http.routers.cert.service=noop@internal"
         - "traefik.http.routers.cert.tls=true"
@@ -115,7 +115,7 @@ services:
         - homepage.href=https://traefik.dua.casa
         - homepage.description=A modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
         - homepage.widget.type=traefik
-        - homepage.widget.url=https://traefik.apps.dua.casa
+        - homepage.widget.url=https://traefik.dua.casa
         - homepage.widget.username=admin
         - homepage.widget.password=bykWvHAaQTDy0ts4ZpUAXoT9ztCNmsKg
 
@@ -129,7 +129,7 @@ services:
         # Enable Service discovery for Traefik
         - "traefik.enable=true"
         # Define the WHoami router rule
-        - "traefik.http.routers.whoami.rule=Host(`whoami.apps.dua.casa`)"
+        - "traefik.http.routers.whoami.rule=Host(`whoami.dua.casa`)"
         # Expose Whoami on the HTTPS entrypoint
         - "traefik.http.routers.whoami.entrypoints=websecure"
         # Enable TLS