Prerequisites
- domain config DDNS
- 8443 port forward to the docker host in main router
compose.yml
services:
caddy:
container_name: caddy
restart: unless-stopped
build:
context: .
dockerfile_inline: |
FROM caddy:builder-alpine AS builder
RUN xcaddy build \
--with github.com/caddy-dns/cloudflare \
--with github.com/mholt/caddy-webdav
FROM caddy:alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
ports:
- "8443:8443"
environment:
CF_API_TOKEN: ${CF_API_TOKEN}
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:rw
- ./caddy-data:/data
- ./caddy-config:/config
- /mnt:/mnt:ro
networks:
- auth_net
postgresql:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -u $${POSTGRES_USER}"]
volumes:
- ./data/postgres:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${AUTHENTIK_POSTGRESQL_PASSWORD}
POSTGRES_USER: ${AUTHENTIK_POSTGRESQL_USER:-authentik}
POSTGRES_DB: ${AUTHENTIK_POSTGRESQL_DB:-authentik}
networks:
- auth_net
server:
image: ghcr.io/goauthentik/server:2025.12.1
restart: unless-stopped
command: server
environment: # FIXED INDENTATION HERE
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRESQL_PASSWORD}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
AUTHENTIK_BOOTSTRAP_EMAIL: ${AUTHENTIK_BOOTSTRAP_EMAIL}
volumes:
- ./data/media:/media
- ./data/templates:/templates
env_file: [.env]
networks:
- auth_net
worker:
image: ghcr.io/goauthentik/server:2025.12.1
restart: unless-stopped
command: worker
user: root
environment: # FIXED INDENTATION HERE
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRESQL_PASSWORD}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
AUTHENTIK_BOOTSTRAP_EMAIL: ${AUTHENTIK_BOOTSTRAP_EMAIL}
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data/media:/media
env_file: [.env]
networks:
- auth_net
networks:
auth_net:
driver: bridge
.env
# Cloudflare
CF_API_TOKEN=xxxxxxxxxxxxxxxx
# Authentik
AUTHENTIK_SECRET_KEY=PASTE_OPENSSL_HEX_32
AUTHENTIK_POSTGRESQL__PASSWORD=STRONG_DB_PASSWORD
AUTHENTIK_BOOTSTRAP_PASSWORD=STRONG_ADMIN_PASSWORD
[email protected]
# Site URL (Crucial for Redirection)
AUTHENTIK_HOST=https://auth.domain.com:8443
Commands for generating strong random passwords/secrets
✅ Best / Recommended (cryptographically strong)
🔐 Generate a 64‑character hex secret (perfect for AUTHENTIK_SECRET_KEY)
AUTHENTIK_SECRET_KEY → 50+ random characters is good
openssl rand -hex 32
- Example output:
9f4c3a1e8b7d4e2c6a5b8d9f1c2e3a4b5d6e7f8091a2b3c4d5e6f708192a3b
AUTHENTIK_BOOTSTRAP_PASSWORD → strong, store safely
🔐 Generate a strong password (base64, human‑usable)
openssl rand -base64 24
- Example:
VJz4Qm1H7xkP+Z0C9h8U6sYwD1L0xP==
✔ Good for:
- Postgres password
- Authentik bootstrap admin password
✅ Very Good & Readable (still strong)
🔐 Generate an alphanumeric password
tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32
echo
- Example:
MZJ3E6uA9bWm8F2X5kQ0TCR4YdS7nPVa
✔ Easier to type
✔ No special characters (good for apps that are picky)
✅ Diceware‑style (easy to remember, still strong)
shuf -n 4 /usr/share/dict/words | tr '\n' '-'
- Example:
ocean-forest-moon-copper
✔ Great for admin login passwords
❌ Not ideal for secret keys
🔥 My recommendation for Authentik
- Use different secrets for each field:
AUTHENTIK_SECRET_KEY=$(openssl rand -hex 32)
AUTHENTIK_POSTGRESQL__PASSWORD=$(openssl rand -base64 24)
AUTHENTIK_BOOTSTRAP_PASSWORD=$(openssl rand -base64 20)
- If you want to auto‑generate and write them into .env:
cat <<EOF > .env
AUTHENTIK_SECRET_KEY=$(openssl rand -hex 32)
AUTHENTIK_POSTGRESQL__PASSWORD=$(openssl rand -base64 24)
AUTHENTIK_BOOTSTRAP_PASSWORD=$(openssl rand -base64 20)
[email protected]
EOF
.env permissions:
chmod 600 .env
Caddyfile
*.yourdomain.com { #your domain name with wildcard DNS challenge(dns-01)
bind 0.0.0.0:8443
tls {
dns cloudflare {env.CF_API_TOKEN}
propagation_delay 2m
resolvers 1.1.1.1
}
encode gzip zstd # ✅ This enables gzip and zstd compression globally for all responses
@nas host nas.yourdomain.com #subdomain name,nas as example
handle @nas {
route { #snippet for caddy forward to authentik
reverse_proxy /outpost.goauthentik.io/* http://authentik-server-1:9000
forward_auth http://authentik-server-1:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
trusted_proxies private_ranges
}
}
reverse_proxy 192.168.1.10:5000
}
handle {
respond "Default route: domain matched, no subdomain rule" 404
}
}
caddy docker command for caddy reload
docker exec -w /etc/caddy caddy caddy reload
评论区