This page documents how Authentik is deployed and integrated in Enclari. It matches the current Compose you use and provides click paths for common tasks.
web (external)https://${AUTHENTIK_DOMAIN}web networkKey points from your running Compose (abridged to essentials):
services:
db:
image: postgres:16-alpine
volumes:
- auth_pgdata:/var/lib/postgresql/data
networks: [web]
redis:
image: redis:7-alpine
command: ["redis-server", "--requirepass", "${REDIS_PASSWORD}"]
networks: [web]
server:
container_name: authentik-server
image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
command: server
ports: ["9000:9000"]
environment:
AUTHENTIK_POSTGRESQL__HOST: db
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_EXTERNAL_URL: https://${AUTHENTIK_DOMAIN}
volumes:
- ./media:/media
- ./templates:/templates
networks: [web]
labels:
traefik.enable: "true"
traefik.docker.network: web
traefik.http.routers.authentik.rule: Host(`${AUTHENTIK_DOMAIN}`)
traefik.http.routers.authentik.entrypoints: websecure
traefik.http.routers.authentik.tls: "true"
traefik.http.routers.authentik.tls.certresolver: le
traefik.http.routers.authentik.service: authentik
traefik.http.services.authentik.loadbalancer.server.port: "9000"
traefik.http.services.authentik.loadbalancer.server.scheme: http
# Global ForwardAuth middleware to reuse on other routers
traefik.http.middlewares.authentik-forwardauth.forwardauth.address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
traefik.http.middlewares.authentik-forwardauth.forwardauth.trustForwardHeader: "true"
traefik.http.middlewares.authentik-forwardauth.forwardauth.authResponseHeaders: "Authorization, X-Authentik-Username, X-Authentik-Groups, X-Authentik-Email"
# Outpost path routing for protected hosts (pattern)
traefik.http.routers.ak-portainer.rule: "Host(`portainer.enclari.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
traefik.http.routers.ak-portainer.entrypoints: websecure
traefik.http.routers.ak-portainer.tls: "true"
traefik.http.routers.ak-portainer.tls.certresolver: le
traefik.http.routers.ak-portainer.service: authentik
traefik.http.routers.ak-portainer.priority: "1000"
worker:
image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
command: worker
networks: [web]
volumes:
auth_pgdata:
networks:
web:
external: true
https://auth.enclari.com and sign in as admin.Wiki.js OIDCcodehttps://docs.enclari.com/login/<id>/callback.openid email profileWiki.jsWiki.js OIDCwikijshttps://docs.enclari.comhttps://auth.enclari.com/application/o/wikijs/https://auth.enclari.com/application/o/authorize/https://auth.enclari.com/application/o/token/https://auth.enclari.com/application/o/userinfo/email to Email, preferred_username to Username, name to Display NameFor any router in Traefik, add the middleware reference:
- traefik.http.routers.<name>.middlewares=authentik-forwardauth@docker,secure-headers
This uses the middleware defined on the Authentik server service and applies SSO before the app.
Authentik outpost uses PathPrefix("/outpost.goauthentik.io/") on protected hosts. You already defined these routers on the Authentik server service. Use the same pattern for any new protected host you add.
/opt/stack/authentik/auth_pgdata -> /var/lib/docker/volumes/auth_pgdata/opt/stack/authentik/media (if storing assets like logos or templates)Add a service=authentik case to your backup script (already present in your setup). On demand backup:
/root/backup.sh backup authentik
restic snapshots --tag service=authentik
cd /opt/stack/authentik && docker compose down/opt/restore/...rsync -aHAX --delete from restore paths back to:
/opt/stack/authentik//var/lib/docker/volumes/auth_pgdata/_data/docker compose up -ddocker logs -f authentik-server and Admin -> Events.web network and set trustForwardHeader=true on ForwardAuth.