From 57721003557f13894948071fdc3683ee687aec09 Mon Sep 17 00:00:00 2001 From: Thieneret Date: Sun, 22 Feb 2026 08:03:55 +0100 Subject: [PATCH 1/5] feat: add authentik --- ct/authentik.sh | 120 ++++++++++++++++ frontend/public/json/authentik.json | 42 ++++++ install/authentik-install.sh | 206 ++++++++++++++++++++++++++++ 3 files changed, 368 insertions(+) create mode 100644 ct/authentik.sh create mode 100644 frontend/public/json/authentik.json create mode 100644 install/authentik-install.sh diff --git a/ct/authentik.sh b/ct/authentik.sh new file mode 100644 index 000000000..ee6a8ffb8 --- /dev/null +++ b/ct/authentik.sh @@ -0,0 +1,120 @@ +#!/usr/bin/env bash +source <(curl -s https://raw.githubusercontent.com/thieneret/ProxmoxVED/feat/authentik/misc/build.func) +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Thieneret +# License: MIT | https://github.com/thieneret/ProxmoxVED/raw/main/LICENSE +# Source: https://github.com/goauthentik/authentik + +APP="authentik" +var_tags="auth" +var_cpu="4" +var_ram="4096" +var_disk="10" +var_os="debian" +var_version="13" +var_unprivileged="1" + +header_info "$APP" +variables +color +catch_errors + +function update_script() { + header_info + check_container_storage + check_container_resources + + AUTHENTIK_VERSION="version/2025.12.4" + NODE_VERSION="24" + + if [[ ! -d /opt/authentik ]]; then + msg_error "No ${APP} Installation Found!" + exit + fi + + if [[ "$AUTHENTIK_VERSION" == "$(cat /opt/authentik_version.txt)" ]]; then + msg_ok "Authentik up-to-date" + exit + fi + + if check_for_gh_release "geoipupdate" "maxmind/geoipupdate"; then + fetch_and_deploy_gh_release "geoipupdate" "maxmind/geoipupdate" "binary" + fi + + msg_info "Stopping Services" + systemctl stop authentik-server.service + systemctl stop authentik-worker.service + msg_ok "Stopped Services" + + if check_for_gh_release "xmlsec" "lsh123/xmlsec"; then + + CLEAN_INSTALL=1 fetch_and_deploy_gh_release "xmlsec" "lsh123/xmlsec" "tarball" "latest" "/opt/xmlsec" + + msg_info "Update xmlsec" + cd /opt/xmlsec + $STD ./autogen.sh + $STD make -j $(nproc) + $STD make check + $STD make install + ldconfig + msg_ok "xmlsec updated" + fi + + setup_nodejs + setup_go + + if check_for_gh_tag "authentik" "goauthentik/authentik" "${AUTHENTIK_VERSION}"; then + + CLEAN_INSTALL=1 fetch_and_deploy_gh_release "authentik" "goauthentik/authentik" "tag" "${AUTHENTIK_VERSION}" "/opt/authentik" + + msg_info "Update web" + cd /opt/authentik/web + NODE_ENV="production" + $STD npm install + $STD npm run build + $STD npm run build:sfe + msg_ok "Web updated" + + msg_info "Update go proxy" + cd /opt/authentik + CGO_ENABLED="1" + $STD go mod download + $STD go build -o /opt/authentik/authentik-server ./cmd/server + msg_ok "Go proxy updated" + + setup_uv + + setup_rust + + msg_info "Update python server" + UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec" + UV_COMPILE_BYTECODE="1" + UV_LINK_MODE="copy" + UV_NATIVE_TLS="1" + RUSTUP_PERMIT_COPY_RENAME="true" + cd /opt/authentik + $STD uv sync --frozen --no-install-project --no-dev + msg_ok "Python server updated" + + chown -R authentik:authentik /opt/authentik + + echo "${AUTHENTIK_VERSION}" > /opt/authentik_version.txt + fi + + msg_info "Restarting services" + systemctl restart authentik-server.service authentik-worker.service + msg_ok "Started Service" + msg_ok "Updated successfully!" + exit +} + +start +build_container +description + +msg_ok "Completed successfully!\n" +echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}" +echo -e "${INFO}${YW} Initial setup URL:${CL}" +echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000/if/flow/initial-setup/${CL}" +echo -e "${INFO}${YW} Access it using the following URL:${CL}" +echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000${CL}" diff --git a/frontend/public/json/authentik.json b/frontend/public/json/authentik.json new file mode 100644 index 000000000..1e899da7e --- /dev/null +++ b/frontend/public/json/authentik.json @@ -0,0 +1,42 @@ +{ + "name": "authentik", + "slug": "authentik", + "categories": [6], + "date_created": "2026-02-21", + "type": "ct", + "updateable": true, + "privileged": false, + "interface_port": 9000, + "documentation": "https://docs.goauthentik.io/", + "website": "https://goauthentik.io/", + "logo": "https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/authentik.webp", + "config_path": "/etc/authentik/config.yml", + "description": "authentik is an IdP (Identity Provider) and SSO (Single Sign On) platform.", + "install_methods": [ + { + "type": "default", + "script": "ct/authentik.sh", + "resources": { + "cpu": 4, + "ram": 4096, + "hdd": 10, + "os": "Debian", + "version": "13" + } + } + ], + "default_credentials": { + "username": null, + "password": null + }, +"notes": [ + { + "text": "You will get a Not Found error if initial setup URL doesn't include the trailing forward slash /. Make sure you use the complete url (http://:9000/if/flow/initial-setup/) including the trailing forward slash.", + "type": "info" + }, + { + "text": "If you want automatic GeoIP updates, create a free account at https://www.maxmind.com/en/geolite2/signup, then edit the /usr/local/etc/GeoIP.conf file with your credentials and remove the # in front of the geoipupdate line in the crontab.", + "type": "info" + } +] +} \ No newline at end of file diff --git a/install/authentik-install.sh b/install/authentik-install.sh new file mode 100644 index 000000000..eee3ad6cf --- /dev/null +++ b/install/authentik-install.sh @@ -0,0 +1,206 @@ +#!/usr/bin/env bash + +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Thieneret +# License: MIT | https://github.com/thieneret/ProxmoxVED/raw/main/LICENSE +# Source: https://github.com/goauthentik/authentik + +source /dev/stdin <<<"$FUNCTIONS_FILE_PATH" + +color +verb_ip6 +catch_errors +setting_up_container +network_check +update_os + +# Installing Dependencies with the 3 core dependencies (curl;sudo;mc) +msg_info "Installing Dependencies" +$STD apt install -y \ + curl \ + sudo \ + mc \ + build-essential \ + pkg-config \ + libffi-dev \ + git \ + libxslt-dev \ + zlib1g-dev \ + libpq-dev \ + krb5-multidev \ + libkrb5-dev \ + heimdal-multidev \ + libclang-dev \ + libltdl-dev \ + libpq5 \ + libmaxminddb0 \ + ca-certificates \ + krb5-multidev \ + libkrb5-3 \ + libkdb5-10 \ + libkadm5clnt-mit12 \ + libkadm5clnt7t64-heimdal \ + libltdl7 \ + libxslt1.1 \ + python3-dev \ + wget \ + gnupg \ + libxml2-dev \ + libltdl7 \ + libxml2 \ + libxslt1-dev \ + automake \ + autoconf \ + libtool \ + libtool-bin \ + gcc +msg_ok "Installed Dependencies" + +AUTHENTIK_VERSION="version/2025.12.4" +NODE_VERSION="24" + +fetch_and_deploy_gh_release "xmlsec" "lsh123/xmlsec" "tarball" "latest" "/opt/xmlsec" + +msg_info "Setup xmlsec" +cd /opt/xmlsec +$STD ./autogen.sh +$STD make -j $(nproc) +$STD make check +$STD make install +ldconfig +msg_ok "xmlsec installed" + +setup_nodejs +setup_go + +fetch_and_deploy_gh_release "authentik" "goauthentik/authentik" "tag" "${AUTHENTIK_VERSION}" "/opt/authentik" + +msg_info "Setup web" +cd /opt/authentik/web +NODE_ENV="production" +$STD npm install +$STD npm run build +$STD npm run build:sfe +msg_ok "Web installed" + +msg_info "Setup go proxy" +cd /opt/authentik +CGO_ENABLED="1" +$STD go mod download +$STD go build -o /opt/authentik/authentik-server ./cmd/server +msg_ok "Go proxy installed" + +fetch_and_deploy_gh_release "geoipupdate" "maxmind/geoipupdate" "binary" + +cat </usr/local/etc/GeoIP.conf +AccountID ChangeME +LicenseKey ChangeME +EditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country +DatabaseDirectory /opt/authentik-data/geoip +RetryFor 5m +Parallelism 1 +EOF + +cat </tmp/crontab +#39 19 * * 6,4 /usr/bin/geoipupdate -f /usr/local/etc/GeoIP.conf +EOF +crontab /tmp/crontab +rm /tmp/crontab + +setup_uv + +setup_rust + +msg_info "Setup python server" +UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec" +UV_COMPILE_BYTECODE="1" +UV_LINK_MODE="copy" +UV_NATIVE_TLS="1" +RUSTUP_PERMIT_COPY_RENAME="true" +cd /opt/authentik +$STD uv sync --frozen --no-install-project --no-dev +msg_ok "Installed python server" + +mkdir -p /opt/authentik-data/{certs,media,geoip,templates} +cp /opt/authentik/authentik/sources/kerberos/krb5.conf /etc/krb5.conf +cp -r /usr/share/GeoIP/ /opt/authentik/geoip/ + +PG_VERSION="16" setup_postgresql + +PG_DB_NAME="authentik" PG_DB_USER="authentik" PG_DB_GRANT_SUPERUSER="true" setup_postgresql_db + +setup_yq + +msg_info "Creating authentik config" +mkdir -p /etc/authentik +mv /opt/authentik/authentik/lib/default.yml /etc/authentik/config.yml +yq -i ".secret_key = \"$(openssl rand -base64 128 | tr -dc 'a-zA-Z0-9' | head -c64)\"" /etc/authentik/config.yml +yq -i ".postgresql.password = \"${PG_DB_PASS}\"" /etc/authentik/config.yml +yq -i ".events.context_processors.geoip = \"/opt/authentik-data/geoip/GeoLite2-City.mmdb\"" /etc/authentik/config.yml +yq -i ".events.context_processors.asn = \"/opt/authentik-data/geoip/GeoLite2-ASN.mmdb\"" /etc/authentik/config.yml +yq -i ".blueprints_dir = \"/opt/authentik/blueprints\"" /etc/authentik/config.yml +yq -i ".cert_discovery_dir = \"/opt/authentik-data/certs\"" /etc/authentik/config.yml +yq -i ".email.template_dir = \"/opt/authentik-data/templates\"" /etc/authentik/config.yml +yq -i ".storage.file.path = \"/opt/authentik-data\"" /etc/authentik/config.yml +cp /opt/authentik/tests/GeoLite2-ASN-Test.mmdb /opt/authentik-data/geoip/GeoLite2-ASN.mmdb +cp /opt/authentik/tests/GeoLite2-City-Test.mmdb /opt/authentik-data/geoip/GeoLite2-City.mmdb +$STD useradd -U -s /usr/sbin/nologin -r -M -d /opt/authentik authentik +chown -R authentik:authentik /opt/authentik /opt/authentik-data +cat </etc/default/authentik +TMPDIR=/dev/shm/ +UV_LINK_MODE=copy +UV_PYTHON_DOWNLOADS=0 +UV_NATIVE_TLS=1 +VENV_PATH=/opt/authentik/.venv +PYTHONDONTWRITEBYTECODE=1 +PYTHONUNBUFFERED=1 +PATH=/opt/authentik/lifecycle:/opt/authentik/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin +DJANGO_SETTINGS_MODULE=authentik.root.settings +PROMETHEUS_MULTIPROC_DIR="/tmp/authentik_prometheus_tmp" +EOF +msg_ok "authentik config created" + +msg_info "Creating services" +cat </etc/systemd/system/authentik-server.service +[Unit] +Description=authentik Go Server (API Gateway) +After=network.target +Wants=postgresql.service + +[Service] +User=authentik +Group=authentik +ExecStartPre=/usr/bin/mkdir -p "\${PROMETHEUS_MULTIPROC_DIR}" +ExecStart=/opt/authentik/authentik-server +WorkingDirectory=/opt/authentik/ +Restart=always +RestartSec=5 +EnvironmentFile=/etc/default/authentik + +[Install] +WantedBy=multi-user.target +EOF + +cat </etc/systemd/system/authentik-worker.service +[Unit] +Description=authentik Worker +After=network.target postgresql.service + +[Service] +User=authentik +Group=authentik +Type=simple +EnvironmentFile=/etc/default/authentik +ExecStart=/usr/local/bin/uv run python -m manage worker --pid-file /dev/shm/authentik-worker.pid +WorkingDirectory=/opt/authentik +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target +EOF + +systemctl enable -q --now authentik-server.service authentik-worker.service +msg_ok "Services created" + +echo "${AUTHENTIK_VERSION}" > /opt/authentik_version.txt \ No newline at end of file From c57bc936310abb8678555d1d37217af844255c19 Mon Sep 17 00:00:00 2001 From: thieneret <123479547+thieneret@users.noreply.github.com> Date: Sun, 22 Feb 2026 08:44:04 +0100 Subject: [PATCH 2/5] Remove GeoIP data copy in installation script Removed copying of GeoIP data to the authentik directory. --- install/authentik-install.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/install/authentik-install.sh b/install/authentik-install.sh index eee3ad6cf..f5dec9d52 100644 --- a/install/authentik-install.sh +++ b/install/authentik-install.sh @@ -123,7 +123,6 @@ msg_ok "Installed python server" mkdir -p /opt/authentik-data/{certs,media,geoip,templates} cp /opt/authentik/authentik/sources/kerberos/krb5.conf /etc/krb5.conf -cp -r /usr/share/GeoIP/ /opt/authentik/geoip/ PG_VERSION="16" setup_postgresql @@ -203,4 +202,4 @@ EOF systemctl enable -q --now authentik-server.service authentik-worker.service msg_ok "Services created" -echo "${AUTHENTIK_VERSION}" > /opt/authentik_version.txt \ No newline at end of file +echo "${AUTHENTIK_VERSION}" > /opt/authentik_version.txt From e72cf6624c1d01da14772cbfd1557f5b7db68585 Mon Sep 17 00:00:00 2001 From: thieneret <123479547+thieneret@users.noreply.github.com> Date: Sun, 22 Feb 2026 09:19:36 +0100 Subject: [PATCH 3/5] Fix comments and variable initialization in authentik.sh --- ct/authentik.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/ct/authentik.sh b/ct/authentik.sh index ee6a8ffb8..d8e7bf08e 100644 --- a/ct/authentik.sh +++ b/ct/authentik.sh @@ -1,18 +1,18 @@ #!/usr/bin/env bash -source <(curl -s https://raw.githubusercontent.com/thieneret/ProxmoxVED/feat/authentik/misc/build.func) +source <(curl -s https://raw.githubusercontent.com/community-scripts/ProxmoxVED/main/misc/build.func) # Copyright (c) 2021-2026 community-scripts ORG # Author: Thieneret -# License: MIT | https://github.com/thieneret/ProxmoxVED/raw/main/LICENSE +# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE # Source: https://github.com/goauthentik/authentik APP="authentik" -var_tags="auth" -var_cpu="4" -var_ram="4096" -var_disk="10" -var_os="debian" -var_version="13" -var_unprivileged="1" +var_tags="${var_tags:-auth}" +var_cpu="${var_cpu:-4}" +var_ram="${var_ram:-4096}" +var_disk="${var_disk:-10}" +var_os="${var_os:-debian}" +var_version="${var_version:-13}" +var_unprivileged="${var_unprivileged:-1}" header_info "$APP" variables @@ -28,7 +28,7 @@ function update_script() { NODE_VERSION="24" if [[ ! -d /opt/authentik ]]; then - msg_error "No ${APP} Installation Found!" + msg_error "No authentik Installation Found!" exit fi From c0621f4c23d44993c4c373be93d9ef5136992fad Mon Sep 17 00:00:00 2001 From: thieneret <123479547+thieneret@users.noreply.github.com> Date: Sun, 22 Feb 2026 09:24:31 +0100 Subject: [PATCH 4/5] Refactor installation script and clean up dependencies Removed unnecessary dependencies and updated installation script formatting. --- install/authentik-install.sh | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/install/authentik-install.sh b/install/authentik-install.sh index f5dec9d52..2d5806a65 100644 --- a/install/authentik-install.sh +++ b/install/authentik-install.sh @@ -14,16 +14,11 @@ setting_up_container network_check update_os -# Installing Dependencies with the 3 core dependencies (curl;sudo;mc) msg_info "Installing Dependencies" $STD apt install -y \ - curl \ - sudo \ - mc \ build-essential \ pkg-config \ libffi-dev \ - git \ libxslt-dev \ zlib1g-dev \ libpq-dev \ @@ -34,8 +29,6 @@ $STD apt install -y \ libltdl-dev \ libpq5 \ libmaxminddb0 \ - ca-certificates \ - krb5-multidev \ libkrb5-3 \ libkdb5-10 \ libkadm5clnt-mit12 \ @@ -43,10 +36,7 @@ $STD apt install -y \ libltdl7 \ libxslt1.1 \ python3-dev \ - wget \ - gnupg \ libxml2-dev \ - libltdl7 \ libxml2 \ libxslt1-dev \ automake \ @@ -92,7 +82,7 @@ msg_ok "Go proxy installed" fetch_and_deploy_gh_release "geoipupdate" "maxmind/geoipupdate" "binary" -cat </usr/local/etc/GeoIP.conf +cat </usr/local/etc/GeoIP.conf AccountID ChangeME LicenseKey ChangeME EditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country @@ -101,7 +91,7 @@ RetryFor 5m Parallelism 1 EOF -cat </tmp/crontab +cat </tmp/crontab #39 19 * * 6,4 /usr/bin/geoipupdate -f /usr/local/etc/GeoIP.conf EOF crontab /tmp/crontab @@ -145,7 +135,7 @@ cp /opt/authentik/tests/GeoLite2-ASN-Test.mmdb /opt/authentik-data/geoip/GeoLite cp /opt/authentik/tests/GeoLite2-City-Test.mmdb /opt/authentik-data/geoip/GeoLite2-City.mmdb $STD useradd -U -s /usr/sbin/nologin -r -M -d /opt/authentik authentik chown -R authentik:authentik /opt/authentik /opt/authentik-data -cat </etc/default/authentik +cat </etc/default/authentik TMPDIR=/dev/shm/ UV_LINK_MODE=copy UV_PYTHON_DOWNLOADS=0 @@ -160,7 +150,7 @@ EOF msg_ok "authentik config created" msg_info "Creating services" -cat </etc/systemd/system/authentik-server.service +cat </etc/systemd/system/authentik-server.service [Unit] Description=authentik Go Server (API Gateway) After=network.target @@ -180,7 +170,7 @@ EnvironmentFile=/etc/default/authentik WantedBy=multi-user.target EOF -cat </etc/systemd/system/authentik-worker.service +cat </etc/systemd/system/authentik-worker.service [Unit] Description=authentik Worker After=network.target postgresql.service From 1f9225284b5499819fe9bab6a107323b88fba29b Mon Sep 17 00:00:00 2001 From: thieneret <123479547+thieneret@users.noreply.github.com> Date: Sun, 22 Feb 2026 09:28:12 +0100 Subject: [PATCH 5/5] Add additional functions to authentik-install.sh --- install/authentik-install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/install/authentik-install.sh b/install/authentik-install.sh index 2d5806a65..cd1fc4bfe 100644 --- a/install/authentik-install.sh +++ b/install/authentik-install.sh @@ -193,3 +193,7 @@ systemctl enable -q --now authentik-server.service authentik-worker.service msg_ok "Services created" echo "${AUTHENTIK_VERSION}" > /opt/authentik_version.txt + +motd_ssh +customize +cleanup_lxc