nik/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Authentik configuration and related resources for improved authentication management

Browse Source
This commit is contained in:
Nik Afiq 2026-03-11 00:02:00 +09:00
parent 4da33ceaed
commit a7f7cd4095
11 changed files with 279 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.env.example
View File

@ -9,4 +9,6 @@ K3S_NODE_TOKEN=your_token_here
GITEA_RUNNER_TOKEN=your_token_here GITEA_RUNNER_TOKEN=your_token_here
# Grafana admin password # Grafana admin password
GRAFANA_ADMIN_PASSWORD=your_password_here GRAFANA_ADMIN_PASSWORD=your_password_here
AUTHENTIK_PROXY_TOKEN=your_token_here

29
manifests/authentik-ingress.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: authentik-tls
namespace: authentik
spec:
secretName: authentik-tls
issuerRef:
name: internal-ca
kind: ClusterIssuer
dnsNames:
- auth.home.arpa
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: authentik
namespace: authentik
spec:
entryPoints:
- websecure
routes:
- match: Host(`auth.home.arpa`)
kind: Rule
services:
- name: authentik-server
port: 80
tls:
secretName: authentik-tls

31
manifests/authentik-middleware.yaml Normal file
View File

@ -0,0 +1,31 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: authentik-auth
namespace: authentik
spec:
forwardAuth:
address: http://authentik-proxy-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: lan-bypass
namespace: authentik
spec:
ipAllowList:
sourceRange:
- 192.168.7.0/24

53
manifests/authentik-proxy-outpost.yaml Normal file
View File

@ -0,0 +1,53 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: authentik-proxy-outpost
namespace: authentik
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-proxy-outpost
namespace: authentik
spec:
replicas: 1
selector:
matchLabels:
app: authentik-proxy-outpost
template:
metadata:
labels:
app: authentik-proxy-outpost
spec:
serviceAccountName: authentik-proxy-outpost
containers:
- name: proxy
image: ghcr.io/goauthentik/proxy:2026.2.1
env:
- name: AUTHENTIK_HOST
value: "https://auth.home.arpa"
- name: AUTHENTIK_INSECURE
value: "true"
- name: AUTHENTIK_TOKEN
valueFrom:
secretKeyRef:
name: authentik-proxy-token
key: token
ports:
- containerPort: 9000
name: http
- containerPort: 9443
name: https
---
apiVersion: v1
kind: Service
metadata:
name: authentik-proxy-outpost
namespace: authentik
spec:
selector:
app: authentik-proxy-outpost
ports:
- name: http
port: 9000
targetPort: 9000

8
manifests/authentik-proxy-secret.sh Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
set -euo pipefail
source "$(dirname "$0")/../.env"
kubectl create secret generic authentik-proxy-token \
--namespace authentik \
--from-literal=token="${AUTHENTIK_PROXY_TOKEN}" \
--dry-run=client -o yaml | kubectl apply -f -

7
manifests/authentik-secret.sh Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Run once to create the Authentik secret. Safe to re-run (dry-run + apply).
kubectl create secret generic authentik-secrets \
--namespace authentik \
--from-literal=secret-key="$(openssl rand -base64 50)" \
--from-literal=postgresql-password="$(openssl rand -base64 24)" \
--dry-run=client -o yaml | kubectl apply -f -

0
manifests/pihole-debian-patch.sh Normal file → Executable file
View File

48
manifests/traefik-dashboard-ingress.yaml Normal file
View File

@ -0,0 +1,48 @@
# Traefik dashboard IngressRoute and TLS certificate for accessing the dashboard at https://traefik.home.arpa. The dashboard is protected by the authentik authentication middleware, with a bypass for LAN clients.
# Apply: kubectl apply -f manifests/traefik-dashboard-ingress.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.home.arpa`) && PathPrefix(`/outpost.goauthentik.io`)
kind: Rule
services:
- name: authentik-proxy-outpost
namespace: authentik
port: 9000
- match: Host(`traefik.home.arpa`) && PathPrefix(`/dashboard`)
kind: Rule
middlewares:
- name: authentik-auth
namespace: authentik
services:
- name: api@internal
kind: TraefikService
- match: Host(`traefik.home.arpa`) && PathPrefix(`/api`)
kind: Rule
middlewares:
- name: authentik-auth
namespace: authentik
services:
- name: api@internal
kind: TraefikService
tls:
secretName: traefik-dashboard-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: traefik-dashboard-tls
namespace: traefik
spec:
secretName: traefik-dashboard-tls
issuerRef:
name: internal-ca
kind: ClusterIssuer
dnsNames:
- traefik.home.arpa

88
values/authentik.yaml Normal file
View File

@ -0,0 +1,88 @@
# authentik Helm values
# Deploy:
# helm upgrade --install authentik authentik/authentik \
# --namespace authentik \
# --version 2026.2.1 \
# --values values/authentik.yaml \
# --wait --timeout 5m
authentik:
secret_key: "" # kept blank — comes from existingSecret via env below
existingSecret:
secretName: "" # kept blank — not used directly, but required to avoid Helm validation error
log_level: info
error_reporting:
enabled: false
server:
env:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-secrets
key: secret-key
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-secrets
key: postgresql-password
- name: AUTHENTIK_POSTGRESQL__HOST
value: "authentik-postgresql"
- name: AUTHENTIK_POSTGRESQL__USER
value: "authentik"
- name: AUTHENTIK_POSTGRESQL__NAME
value: "authentik"
worker:
env:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-secrets
key: secret-key
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-secrets
key: postgresql-password
- name: AUTHENTIK_POSTGRESQL__HOST
value: "authentik-postgresql"
- name: AUTHENTIK_POSTGRESQL__USER
value: "authentik"
- name: AUTHENTIK_POSTGRESQL__NAME
value: "authentik"
postgresql:
enabled: true
auth:
username: authentik
database: authentik
existingSecret: authentik-secrets
secretKeys:
adminPasswordKey: postgresql-password
userPasswordKey: postgresql-password
primary:
persistence:
enabled: true
podAnnotations:
helm.sh/resource-policy: keep
redis:
enabled: true
auth:
enabled: false
additionalObjects:
- apiVersion: v1
kind: Service
metadata:
name: authentik-worker
namespace: authentik
spec:
selector:
app.kubernetes.io/component: worker
app.kubernetes.io/instance: authentik
ports:
- name: http
port: 9000
targetPort: 9000

4
values/pihole.yaml
View File

@ -79,4 +79,6 @@ dnsmasq:
- address=/jdownloader.home.arpa/192.168.7.77 - address=/jdownloader.home.arpa/192.168.7.77
- address=/glances.home.arpa/192.168.7.77 - address=/glances.home.arpa/192.168.7.77
- address=/glances-debian.home.arpa/192.168.7.77 - address=/glances-debian.home.arpa/192.168.7.77
- address=/ca.home.arpa/1 - address=/ca.home.arpa/192.168.7.77
- address=/auth.home.arpa/192.168.7.77
- address=/traefik.home.arpa/192.168.7.77

10
values/traefik.yaml
View File

@ -49,6 +49,10 @@ additionalArguments:
- "--certificatesresolvers.letsencrypt.acme.email=nik.afiq98@ymail.com" - "--certificatesresolvers.letsencrypt.acme.email=nik.afiq98@ymail.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/data/traefik/acme.json" - "--certificatesresolvers.letsencrypt.acme.storage=/data/traefik/acme.json"
providers:
kubernetesCRD:
allowCrossNamespace: true
volumes: volumes:
- name: traefik-data - name: traefik-data
hostPath: hostPath:
@ -60,4 +64,8 @@ logs:
general: general:
level: INFO level: INFO
access: access:
enabled: true enabled: true
api:
dashboard: true
insecure: false