diff --git a/ct/authentik.sh b/ct/authentik.sh new file mode 100644 index 000000000..58d332bff --- /dev/null +++ b/ct/authentik.sh @@ -0,0 +1,155 @@ +#!/usr/bin/env bash +source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func) +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Thieneret +# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Source: https://github.com/goauthentik/authentik + +APP="authentik" +var_tags="${var_tags:-auth}" +var_cpu="${var_cpu:-4}" +var_ram="${var_ram:-4096}" +var_disk="${var_disk:-16}" +var_os="${var_os:-debian}" +var_version="${var_version:-13}" +var_unprivileged="${var_unprivileged:-1}" + +header_info "$APP" +variables +color +catch_errors + +function update_script() { + header_info + check_container_storage + check_container_resources + + if [[ ! -d /opt/authentik ]]; then + msg_error "No authentik Installation Found!" + exit + fi + + NODE_VERSION="24" setup_nodejs + setup_go + UV_PYTHON_INSTALL_DIR="/usr/local/bin" PYTHON_VERSION="3.14.3" setup_uv + setup_rust + + AUTHENTIK_VERSION="version/2026.2.2" + XMLSEC_VERSION="1.3.11" + + if check_for_gh_release "geoipupdate" "maxmind/geoipupdate"; then + fetch_and_deploy_gh_release "geoipupdate" "maxmind/geoipupdate" "binary" + fi + + if check_for_gh_release "xmlsec" "lsh123/xmlsec" "${XMLSEC_VERSION}"; then + CLEAN_INSTALL=1 fetch_and_deploy_gh_release "xmlsec" "lsh123/xmlsec" "tarball" "${XMLSEC_VERSION}" "/opt/xmlsec" + + msg_info "Updating xmlsec" + cd /opt/xmlsec + $STD ./autogen.sh + $STD make -j $(nproc) + $STD make check + $STD make install + $STD ldconfig + msg_ok "Updated xmlsec" + fi + + if check_for_gh_release "authentik" "goauthentik/authentik" "${AUTHENTIK_VERSION}"; then + msg_info "Stopping Services" + systemctl stop authentik-server authentik-worker + if [[ $(systemctl is-active authentik-ldap) == active ]]; then + systemctl stop authentik-ldap + fi + if [[ $(systemctl is-active authentik-rac) == active ]]; then + systemctl stop authentik-rac + fi + if [[ $(systemctl is-active authentik-radius) == active ]]; then + systemctl stop authentik-radius + fi + msg_ok "Stopped Services" + + CLEAN_INSTALL=1 fetch_and_deploy_gh_release "authentik" "goauthentik/authentik" "tarball" "${AUTHENTIK_VERSION}" "/opt/authentik" + + msg_info "Updating web" + cd /opt/authentik/web + export NODE_ENV="production" + $STD npm install + $STD npm run build + $STD npm run build:sfe + msg_ok "Updated web" + + msg_info "Updating go proxy" + cd /opt/authentik + export CGO_ENABLED="1" + $STD go mod download + $STD go build -o /opt/authentik/authentik-server ./cmd/server + $STD go build -o /opt/authentik/ldap ./cmd/ldap + $STD go build -o /opt/authentik/rac ./cmd/rac + $STD go build -o /opt/authentik/radius ./cmd/radius + msg_ok "Updated go proxy" + + msg_info "Updating python server" + export UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec" + export UV_COMPILE_BYTECODE="1" + export UV_LINK_MODE="copy" + export UV_NATIVE_TLS="1" + export RUSTUP_PERMIT_COPY_RENAME="true" + export UV_PYTHON_INSTALL_DIR="/usr/local/bin" + cd /opt/authentik + $STD uv sync --frozen --no-install-project --no-dev + chown -R authentik:authentik /opt/authentik + msg_ok "Updated python server" + fi + + msg_info "Starting Services" + systemctl start authentik-server authentik-worker + if [[ $(systemctl is-enabled authentik-ldap) == enabled ]]; then + systemctl start authentik-ldap + fi + if [[ $(systemctl is-enabled authentik-rac) == enabled ]]; then + systemctl start authentik-rac + fi + if [[ $(systemctl is-enabled authentik-radius) == enabled ]]; then + systemctl start authentik-radius + fi + msg_ok "Started Services" + msg_ok "Updated successfully!" + exit +} + +start +build_container + +msg_info "Attaching data storage volume" +$STD pct stop "$CTID" +if [ "${PROTECT_CT:-}" == "1" ] || [ "${PROTECT_CT:-}" == "yes" ]; then + $STD pct set "$CTID" --protection 0 + $STD pct set "$CTID" -mp0 "${CONTAINER_STORAGE}":1,mp=/opt/authentik-data,backup=1 + $STD pct set "$CTID" --protection 1 +else + $STD pct set "$CTID" -mp0 "${CONTAINER_STORAGE}":1,mp=/opt/authentik-data,backup=1 +fi +$STD pct start "$CTID" +for i in {1..10}; do + pct status "$CTID" | grep -q "status: running" && break + sleep 1 +done +$STD pct exec "$CTID" -- bash -c "mkdir -p /opt/authentik-data/{certs,media,geoip,templates}; \ + cp /opt/authentik/tests/GeoLite2-ASN-Test.mmdb /opt/authentik-data/geoip/GeoLite2-ASN.mmdb; \ + cp /opt/authentik/tests/GeoLite2-City-Test.mmdb /opt/authentik-data/geoip/GeoLite2-City.mmdb; \ + chown authentik:authentik /opt/authentik-data; \ + chown -R authentik:authentik /opt/authentik-data/{certs,media,geoip,templates}" +msg_ok "Attached data storage volume" + +msg_info "Starting Services" +pct exec "$CTID" -- systemctl enable -q --now authentik-server authentik-worker +msg_ok "Started Services" + +description + +msg_ok "Completed successfully!\n" +echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}" +echo -e "${INFO}${YW} Initial setup URL:${CL}" +echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000/if/flow/initial-setup/${CL}" +echo -e "${INFO}${YW} Access it using the following URL:${CL}" +echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000${CL}" diff --git a/ct/headers/authentik b/ct/headers/authentik new file mode 100644 index 000000000..40f5a7999 --- /dev/null +++ b/ct/headers/authentik @@ -0,0 +1,6 @@ + __ __ __ _ __ + ____ ___ __/ /_/ /_ ___ ____ / /_(_) /__ + / __ `/ / / / __/ __ \/ _ \/ __ \/ __/ / //_/ +/ /_/ / /_/ / /_/ / / / __/ / / / /_/ / ,< +\__,_/\__,_/\__/_/ /_/\___/_/ /_/\__/_/_/|_| + diff --git a/install/authentik-install.sh b/install/authentik-install.sh new file mode 100644 index 000000000..0ab531a6a --- /dev/null +++ b/install/authentik-install.sh @@ -0,0 +1,257 @@ +#!/usr/bin/env bash + +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Thieneret +# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Source: https://github.com/goauthentik/authentik + +source /dev/stdin <<<"$FUNCTIONS_FILE_PATH" + +color +verb_ip6 +catch_errors +setting_up_container +network_check +update_os + +msg_info "Installing Dependencies" +$STD apt install -y \ + build-essential \ + pkg-config \ + libffi-dev \ + libxslt-dev \ + zlib1g-dev \ + libpq-dev \ + krb5-multidev \ + libkrb5-dev \ + heimdal-multidev \ + libclang-dev \ + libltdl-dev \ + libpq5 \ + libmaxminddb0 \ + libkrb5-3 \ + libkdb5-10 \ + libkadm5clnt-mit12 \ + libkadm5clnt7t64-heimdal \ + libltdl7 \ + libxslt1.1 \ + python3-dev \ + libxml2-dev \ + libxml2 \ + libxslt1-dev \ + automake \ + autoconf \ + libtool \ + libtool-bin \ + gcc \ + git +msg_ok "Installed Dependencies" + +NODE_VERSION="24" setup_nodejs +setup_yq +setup_go +UV_PYTHON_INSTALL_DIR="/usr/local/bin" PYTHON_VERSION="3.14.3" setup_uv +setup_rust +PG_VERSION="17" setup_postgresql +PG_DB_NAME="authentik" PG_DB_USER="authentik" PG_DB_GRANT_SUPERUSER="true" setup_postgresql_db + +XMLSEC_VERSION="1.3.11" +AUTHENTIK_VERSION="version/2026.2.2" +fetch_and_deploy_gh_release "xmlsec" "lsh123/xmlsec" "tarball" "${XMLSEC_VERSION}" "/opt/xmlsec" +fetch_and_deploy_gh_release "authentik" "goauthentik/authentik" "tarball" "${AUTHENTIK_VERSION}" "/opt/authentik" +fetch_and_deploy_gh_release "geoipupdate" "maxmind/geoipupdate" "binary" + +msg_info "Setup xmlsec" +cd /opt/xmlsec +$STD ./autogen.sh +$STD make -j $(nproc) +$STD make check +$STD make install +$STD ldconfig +msg_ok "xmlsec installed" + +msg_info "Setup web" +cd /opt/authentik/web +export NODE_ENV="production" +$STD npm install +$STD npm run build +$STD npm run build:sfe +msg_ok "Web installed" + +msg_info "Setup go proxy" +cd /opt/authentik +export CGO_ENABLED="1" +$STD go mod download +$STD go build -o /opt/authentik/authentik-server ./cmd/server +$STD go build -o /opt/authentik/ldap ./cmd/ldap +$STD go build -o /opt/authentik/rac ./cmd/rac +$STD go build -o /opt/authentik/radius ./cmd/radius +msg_ok "Go proxy installed" + +cat </usr/local/etc/GeoIP.conf +AccountID ChangeME +LicenseKey ChangeME +EditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country +DatabaseDirectory /opt/authentik-data/geoip +RetryFor 5m +Parallelism 1 +EOF + +echo "#39 19 * * 6,4 /usr/bin/geoipupdate -f /usr/local/etc/GeoIP.conf" | crontab - + +msg_info "Setup python server" +export UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec" +export UV_COMPILE_BYTECODE="1" +export UV_LINK_MODE="copy" +export UV_NATIVE_TLS="1" +export RUSTUP_PERMIT_COPY_RENAME="true" +export UV_PYTHON_INSTALL_DIR="/usr/local/bin" +cd /opt/authentik +$STD uv sync --frozen --no-install-project --no-dev +cp /opt/authentik/authentik/sources/kerberos/krb5.conf /etc/krb5.conf +msg_ok "Installed python server" + +msg_info "Creating authentik config" +mkdir -p /etc/authentik +mv /opt/authentik/authentik/lib/default.yml /etc/authentik/config.yml +yq -i ".secret_key = \"$(openssl rand -base64 128 | tr -dc 'a-zA-Z0-9' | head -c64)\"" /etc/authentik/config.yml +yq -i ".postgresql.password = \"${PG_DB_PASS}\"" /etc/authentik/config.yml +yq -i ".events.context_processors.geoip = \"/opt/authentik-data/geoip/GeoLite2-City.mmdb\"" /etc/authentik/config.yml +yq -i ".events.context_processors.asn = \"/opt/authentik-data/geoip/GeoLite2-ASN.mmdb\"" /etc/authentik/config.yml +yq -i ".blueprints_dir = \"/opt/authentik/blueprints\"" /etc/authentik/config.yml +yq -i ".cert_discovery_dir = \"/opt/authentik-data/certs\"" /etc/authentik/config.yml +yq -i ".email.template_dir = \"/opt/authentik-data/templates\"" /etc/authentik/config.yml +yq -i ".storage.file.path = \"/opt/authentik-data\"" /etc/authentik/config.yml +yq -i ".disable_startup_analytics = \"true\"" /etc/authentik/config.yml +$STD useradd -U -s /usr/sbin/nologin -r -M -d /opt/authentik authentik +chown -R authentik:authentik /opt/authentik +cat </etc/default/authentik +TMPDIR=/dev/shm/ +UV_LINK_MODE=copy +UV_PYTHON_DOWNLOADS=0 +UV_NATIVE_TLS=1 +VENV_PATH=/opt/authentik/.venv +PYTHONDONTWRITEBYTECODE=1 +PYTHONUNBUFFERED=1 +PATH=/opt/authentik/lifecycle:/opt/authentik/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin +DJANGO_SETTINGS_MODULE=authentik.root.settings +PROMETHEUS_MULTIPROC_DIR="/tmp/authentik_prometheus_tmp" +EOF +cat </etc/default/authentik_ldap +AUTHENTIK_HOST="https://127.0.0.1:9443" +AUTHENTIK_INSECURE="true" +AUTHENTIK_TOKEN="token-generated-by-authentik" +EOF +cat </etc/default/authentik_rac +AUTHENTIK_HOST="https://127.0.0.1:9443" +AUTHENTIK_INSECURE="true" +AUTHENTIK_TOKEN="token-generated-by-authentik" +EOF +cat </etc/default/authentik_radius +AUTHENTIK_HOST="https://127.0.0.1:9443" +AUTHENTIK_INSECURE="true" +AUTHENTIK_TOKEN="token-generated-by-authentik" +EOF +msg_ok "authentik config created" + +msg_info "Creating services" +cat </etc/systemd/system/authentik-server.service +[Unit] +Description=authentik Go Server (API Gateway) +After=network.target +Wants=postgresql.service + +[Service] +User=authentik +Group=authentik +ExecStartPre=/usr/bin/mkdir -p "\${PROMETHEUS_MULTIPROC_DIR}" +ExecStart=/opt/authentik/authentik-server +WorkingDirectory=/opt/authentik/ +Restart=always +RestartSec=5 +EnvironmentFile=/etc/default/authentik + +[Install] +WantedBy=multi-user.target +EOF + +cat </etc/systemd/system/authentik-worker.service +[Unit] +Description=authentik Worker +After=network.target postgresql.service + +[Service] +User=authentik +Group=authentik +Type=simple +EnvironmentFile=/etc/default/authentik +ExecStart=/usr/local/bin/uv run python -m manage worker --pid-file /dev/shm/authentik-worker.pid +WorkingDirectory=/opt/authentik +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target +EOF + +cat </etc/systemd/system/authentik-ldap.service +[Unit] +Description=authentik LDAP Outpost +After=network.target +Wants=postgresql.service + +[Service] +User=authentik +Group=authentik +ExecStart=/opt/authentik/ldap +WorkingDirectory=/opt/authentik/ +Restart=always +RestartSec=5 +EnvironmentFile=/etc/default/authentik_ldap + +[Install] +WantedBy=multi-user.target +EOF + +cat </etc/systemd/system/authentik-rac.service +[Unit] +Description=authentik RAC Outpost +After=network.target +Wants=postgresql.service + +[Service] +User=authentik +Group=authentik +ExecStart=/opt/authentik/rac +WorkingDirectory=/opt/authentik/ +Restart=always +RestartSec=5 +EnvironmentFile=/etc/default/authentik_rac + +[Install] +WantedBy=multi-user.target +EOF + +cat </etc/systemd/system/authentik-radius.service +[Unit] +Description=authentik Radius Outpost +After=network.target +Wants=postgresql.service + +[Service] +User=authentik +Group=authentik +ExecStart=/opt/authentik/radius +WorkingDirectory=/opt/authentik/ +Restart=always +RestartSec=5 +EnvironmentFile=/etc/default/authentik_radius + +[Install] +WantedBy=multi-user.target +EOF +msg_ok "Services created" + +motd_ssh +customize +cleanup_lxc