Add Authentik SSO, fix Uptime Kuma duplicate, enable SSO on Jellyseerr, and improve documentation

- Add Authentik service stack to infrastructure.yml - Includes Authentik server, worker, PostgreSQL database, and Redis - Alternative SSO with web UI for user management - Access at authentik.${DOMAIN} - Protected by Authelia SSO (comment out to use standalone) - Fix Uptime Kuma duplicate listing - Remove from utilities.yml - Keep only in monitoring.yml where it belongs - Add Traefik labels and SSO protection to monitoring instance - Enable SSO on Jellyseerr by default - Changed from bypass to protected (security-first approach) - Users can comment out SSO if needed for public access - Update SSO toggling documentation - Emphasize commenting out (not removing) middleware line - Add docker command examples for running from outside stack folder - Show both "cd to directory" and "full path" methods - Add examples for starting and stopping services multiple ways - Enhance security-first methodology - Update copilot instructions to default SSO to enabled - Only Plex and Jellyfin bypass SSO by default - All other services start secured, expose gradually - Emphasize commenting (not removing) for easier re-enable - Update services-reference.md - Add Authentik to infrastructure section (12 services) - Move Uptime Kuma to monitoring section (8 services) - Remove from utilities (now 6 services) - Update Jellyseerr SSO status from ✗ to ✓ - Improve Authentik documentation with deployment guidance - Add Authentik environment variables to .env.example - AUTHENTIK_SECRET_KEY, DB credentials - Generation instructions included All changes align with security-first principle: start secure, expose services only when ready for deployment. Co-authored-by: kelinfoxy <67766943+kelinfoxy@users.noreply.github.com>
2026-01-12 02:33:31 +00:00
parent 3cdf8606ff
commit c7ca73fe78
8 changed files with 218 additions and 54 deletions
--- a/docker-compose/infrastructure.yml
+++ b/docker-compose/infrastructure.yml
@@ -182,9 +182,116 @@ services:
      - "traefik.http.routers.glances.middlewares=authelia@docker"
      - "traefik.http.services.glances.loadbalancer.server.port=61208"

+  # Authentik - Alternative SSO/Identity Provider with Web UI
+  # Access at: https://authentik.${DOMAIN}
+  # NOTE: Authelia is the default SSO. Deploy Authentik only if you need a web UI for user management
+  authentik-server:
+    image: ghcr.io/goauthentik/server:2024.2.0
+    container_name: authentik-server
+    restart: unless-stopped
+    command: server
+    networks:
+      - homelab-network
+      - traefik-network
+    volumes:
+      - /opt/stacks/authentik/media:/media
+      - /opt/stacks/authentik/custom-templates:/templates
+    environment:
+      - AUTHENTIK_REDIS__HOST=authentik-redis
+      - AUTHENTIK_POSTGRESQL__HOST=authentik-db
+      - AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_DB_USER:-authentik}
+      - AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_DB_NAME:-authentik}
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_DB_PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=false
+    labels:
+      - "homelab.category=infrastructure"
+      - "homelab.description=SSO/Identity provider with web UI (alternative to Authelia)"
+      - "traefik.enable=true"
+      - "traefik.http.routers.authentik.rule=Host(`authentik.${DOMAIN}`)"
+      - "traefik.http.routers.authentik.entrypoints=websecure"
+      - "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.authentik.middlewares=authelia@docker"
+      - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+    depends_on:
+      - authentik-db
+      - authentik-redis
+
+  # Authentik Worker - Background task processor
+  authentik-worker:
+    image: ghcr.io/goauthentik/server:2024.2.0
+    container_name: authentik-worker
+    restart: unless-stopped
+    command: worker
+    networks:
+      - homelab-network
+    volumes:
+      - /opt/stacks/authentik/media:/media
+      - /opt/stacks/authentik/certs:/certs
+      - /opt/stacks/authentik/custom-templates:/templates
+    environment:
+      - AUTHENTIK_REDIS__HOST=authentik-redis
+      - AUTHENTIK_POSTGRESQL__HOST=authentik-db
+      - AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_DB_USER:-authentik}
+      - AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_DB_NAME:-authentik}
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_DB_PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=false
+    labels:
+      - "homelab.category=infrastructure"
+      - "homelab.description=Authentik background worker"
+    depends_on:
+      - authentik-db
+      - authentik-redis
+
+  # Authentik Database - PostgreSQL
+  authentik-db:
+    image: postgres:16-alpine
+    container_name: authentik-db
+    restart: unless-stopped
+    networks:
+      - homelab-network
+    volumes:
+      - authentik-db-data:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_USER=${AUTHENTIK_DB_USER:-authentik}
+      - POSTGRES_PASSWORD=${AUTHENTIK_DB_PASSWORD}
+      - POSTGRES_DB=${AUTHENTIK_DB_NAME:-authentik}
+    labels:
+      - "homelab.category=infrastructure"
+      - "homelab.description=Authentik database"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${AUTHENTIK_DB_USER:-authentik}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  # Authentik Redis - Cache and message queue
+  authentik-redis:
+    image: redis:7-alpine
+    container_name: authentik-redis
+    restart: unless-stopped
+    networks:
+      - homelab-network
+    volumes:
+      - authentik-redis-data:/data
+    command: --save 60 1 --loglevel warning
+    labels:
+      - "homelab.category=infrastructure"
+      - "homelab.description=Authentik cache and messaging"
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      interval: 10s
+      timeout: 3s
+      retries: 5
+
 volumes:
  portainer-data:
    driver: local
+  authentik-db-data:
+    driver: local
+  authentik-redis-data:
+    driver: local

 networks:
  homelab-network:
--- a/docker-compose/media-extended.yml
+++ b/docker-compose/media-extended.yml
@@ -166,8 +166,8 @@ services:
      - "traefik.http.routers.jellyseerr.rule=Host(`jellyseerr.${DOMAIN}`)"
      - "traefik.http.routers.jellyseerr.entrypoints=websecure"
      - "traefik.http.routers.jellyseerr.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.jellyseerr.middlewares=authelia@docker"
      - "traefik.http.services.jellyseerr.loadbalancer.server.port=5055"
-      # No Authelia - users should be able to request easily

  # FlareSolverr - Cloudflare bypass for Prowlarr
  # No web UI - used by Prowlarr
--- a/docker-compose/monitoring.yml
+++ b/docker-compose/monitoring.yml
@@ -102,21 +102,27 @@ services:
      - "homelab.description=Container metrics and performance monitoring"

  # Uptime Kuma - Uptime monitoring
-  # Access at: http://server-ip:3001
+  # Access at: https://status.${DOMAIN}
  uptime-kuma:
-    image: louislam/uptime-kuma:1.23.11
+    image: louislam/uptime-kuma:1
    container_name: uptime-kuma
    restart: unless-stopped
    networks:
      - monitoring-network
      - homelab-network
-    ports:
-      - "3001:3001"
+      - traefik-network
    volumes:
      - uptime-kuma-data:/app/data
+      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      - "homelab.category=monitoring"
      - "homelab.description=Service uptime monitoring and alerts"
+      - "traefik.enable=true"
+      - "traefik.http.routers.uptime-kuma.rule=Host(`status.${DOMAIN}`)"
+      - "traefik.http.routers.uptime-kuma.entrypoints=websecure"
+      - "traefik.http.routers.uptime-kuma.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.uptime-kuma.middlewares=authelia@docker"
+      - "traefik.http.services.uptime-kuma.loadbalancer.server.port=3001"

  # Loki - Log aggregation
  # Access at: http://server-ip:3100
@@ -171,3 +177,5 @@ networks:
    driver: bridge
  homelab-network:
    external: true
+  traefik-network:
+    external: true
--- a/docker-compose/utilities.yml
+++ b/docker-compose/utilities.yml
@@ -59,28 +59,6 @@ services:
      - "traefik.http.routers.duplicati.middlewares=authelia@docker"
      - "traefik.http.services.duplicati.loadbalancer.server.port=8200"

-  # Uptime Kuma - Status monitoring
-  # Access at: https://status.${DOMAIN}
-  uptime-kuma:
-    image: louislam/uptime-kuma:1
-    container_name: uptime-kuma
-    restart: unless-stopped
-    networks:
-      - homelab-network
-      - traefik-network
-    volumes:
-      - /opt/stacks/uptime-kuma/data:/app/data
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-    labels:
-      - "homelab.category=utilities"
-      - "homelab.description=Uptime monitoring and status page"
-      - "traefik.enable=true"
-      - "traefik.http.routers.uptime-kuma.rule=Host(`status.${DOMAIN}`)"
-      - "traefik.http.routers.uptime-kuma.entrypoints=websecure"
-      - "traefik.http.routers.uptime-kuma.tls.certresolver=letsencrypt"
-      - "traefik.http.services.uptime-kuma.loadbalancer.server.port=3001"
-      # No Authelia - public status page
-
  # Code Server - VS Code in browser
  # Access at: https://code.${DOMAIN}
  code-server: