From 9f7a8894476fbba36baadb01271976a7f3617458 Mon Sep 17 00:00:00 2001 From: Dobromir Popov Date: Tue, 6 Jan 2026 11:36:41 +0200 Subject: [PATCH] auto secrets with bash --- GW/authentik,yml | 69 +++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 60 insertions(+), 9 deletions(-) diff --git a/GW/authentik,yml b/GW/authentik,yml index 3309083..16f96ef 100644 --- a/GW/authentik,yml +++ b/GW/authentik,yml @@ -1,34 +1,74 @@ services: + # Init service - generates secrets on first run and outputs them to logs + init-secrets: + image: alpine:latest + command: + - sh + - -c + - | + if [ ! -f /secrets/.initialized ]; then + PG_PASS=$$(head -c 32 /dev/urandom | base64 | tr -d '\n') + SECRET_KEY=$$(head -c 64 /dev/urandom | base64 | tr -d '\n') + echo "$$PG_PASS" > /secrets/pg_pass + echo "$$SECRET_KEY" > /secrets/secret_key + touch /secrets/.initialized + echo "========================================================" + echo " AUTHENTIK SECRETS GENERATED - SAVE THESE!" + echo "========================================================" + echo "PG_PASS: $$PG_PASS" + echo "" + echo "AUTHENTIK_SECRET_KEY: $$SECRET_KEY" + echo "========================================================" + else + echo "Secrets already initialized, skipping generation." + echo "PG_PASS: $$(cat /secrets/pg_pass)" + echo "AUTHENTIK_SECRET_KEY: $$(cat /secrets/secret_key)" + fi + volumes: + - secrets:/secrets + restart: "no" + postgresql: + image: docker.io/library/postgres:16-alpine + depends_on: + init-secrets: + condition: service_completed_successfully environment: POSTGRES_DB: authentik - POSTGRES_PASSWORD: CHANGE_THIS_TO_A_SECURE_PASSWORD_1 POSTGRES_USER: authentik + POSTGRES_PASSWORD_FILE: /secrets/pg_pass healthcheck: interval: 30s retries: 5 start_period: 20s test: - CMD-SHELL - - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER} + - pg_isready -d authentik -U authentik timeout: 5s - image: docker.io/library/postgres:16-alpine restart: unless-stopped volumes: - database:/var/lib/postgresql/data + - secrets:/secrets:ro server: + image: ghcr.io/goauthentik/server:2025.10.3 command: server depends_on: postgresql: condition: service_healthy + init-secrets: + condition: service_completed_successfully + entrypoint: + - sh + - -c + - | + export AUTHENTIK_SECRET_KEY=$$(cat /secrets/secret_key) + export AUTHENTIK_POSTGRESQL__PASSWORD=$$(cat /secrets/pg_pass) + exec /usr/local/bin/dumb-init -- ak server environment: AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__NAME: authentik - AUTHENTIK_POSTGRESQL__PASSWORD: CHANGE_THIS_TO_A_SECURE_PASSWORD_1 AUTHENTIK_POSTGRESQL__USER: authentik - AUTHENTIK_SECRET_KEY: CHANGE_THIS_TO_A_LONG_RANDOM_SECRET_KEY_AT_LEAST_50_CHARS - image: ghcr.io/goauthentik/server:2025.10.3 ports: - 9000:9000 - 9443:9443 @@ -36,19 +76,27 @@ services: volumes: - ./media:/media - ./custom-templates:/templates + - secrets:/secrets:ro worker: + image: ghcr.io/goauthentik/server:2025.10.3 command: worker depends_on: postgresql: condition: service_healthy + init-secrets: + condition: service_completed_successfully + entrypoint: + - sh + - -c + - | + export AUTHENTIK_SECRET_KEY=$$(cat /secrets/secret_key) + export AUTHENTIK_POSTGRESQL__PASSWORD=$$(cat /secrets/pg_pass) + exec /usr/local/bin/dumb-init -- ak worker environment: AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__NAME: authentik - AUTHENTIK_POSTGRESQL__PASSWORD: CHANGE_THIS_TO_A_SECURE_PASSWORD_1 AUTHENTIK_POSTGRESQL__USER: authentik - AUTHENTIK_SECRET_KEY: CHANGE_THIS_TO_A_LONG_RANDOM_SECRET_KEY_AT_LEAST_50_CHARS - image: ghcr.io/goauthentik/server:2025.10.3 restart: unless-stopped user: root volumes: @@ -56,7 +104,10 @@ services: - ./media:/media - ./certs:/certs - ./custom-templates:/templates + - secrets:/secrets:ro volumes: database: + driver: local + secrets: driver: local \ No newline at end of file