manfre/Caddyfile

## authentik-docker-compose.yaml
---
version: '3.4'

services:
  postgresql:
    image: docker.io/library/postgres:14-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=${PG_PASS:?database password required}
      - POSTGRES_USER=${PG_USER:-authentik}
      - POSTGRES_DB=${PG_DB:-authentik}
    # env_file:
    #   - .env
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
      AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT:-25}
      AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
      AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
      AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS:-false}
      AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL:-false}
      AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT:-10}
      AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
      GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
      GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
      AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
    volumes:
      - /opt/authentik_data/media:/media
      - /opt/authentik_data/custom-templates:/templates
      - geoip:/geoip
    # env_file:
    #   - .env
    ports:
      - "${AUTHENTIK_PORT_HTTP:-10000}:9000"
      - "${AUTHENTIK_PORT_HTTPS:-10443}:9443"
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
      AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
      AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT:-25}
      AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
      AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
      AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS:-false}
      AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL:-false}
      AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT:-10}
      AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
      GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
      GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
      AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
    # This is optional, and can be removed. If you remove this, the following will happen
    # - The permissions for the /media folders aren't fixed, so make sure they are 1000:1000
    # - The docker socket can't be accessed anymore
    user: root
    volumes:
      - /opt/authentik_data/media:/media
      - /opt/authentik_data/certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/authentik_data/custom-templates:/templates
      - geoip:/geoip
    # env_file:
    #   - .env
  geoipupdate:
    image: "maxmindinc/geoipupdate:latest"
    volumes:
      - "geoip:/usr/share/GeoIP"
    environment:
      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
      GEOIPUPDATE_FREQUENCY: "8"
      GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
      GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
      AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
    # env_file:
    #   - .env

volumes:
  database:
    driver: local
  redis:
    driver: local
  geoip:
    driver: local

## Caddyfile
{$MICROBIN_EXTERNAL_DNS:paste.myapp.local} {

    # always forward outpost path to actual outpost
    reverse_proxy /outpost.goauthentik.io/* {$AUTHENTIK_CONTAINER_NAME:authentik-server-1}:{$AUTHENTIK_PORT:9000}

    # forward authentication to outpost
    forward_auth {$AUTHENTIK_CONTAINER_NAME:authentik-server-1}:{$AUTHENTIK_PORT:9000} {
        uri /outpost.goauthentik.io/auth/caddy

        # capitalization of the headers is important, otherwise they will be empty
        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

        # optional, in this config trust all private ranges, should probably be set to the outposts IP
        trusted_proxies private_ranges
    }
    # actual site configuration below, for example

    reverse_proxy {$MICROBIN_CONTAINER_NAME:microbin}:{$MICROBIN_PORT:8080}
}

## notes.md

      
    Raw
  

              notes.md
            
          
    Settings up Microbin behind Authentik


Create DNS entry paste.YOUR_DOMAIN.TLD
Follow Authentik docker-compose instructions (example docker-compose.yaml in this gist)

Create a Forward auth (single application) Provider pointing to https://paste.YOUR_DOMAIN.TLD
Create an Application and associate with the Provider you created
Add Application to authentik Embedded Outpost


Start Caddy container using this Caddyfile with env values set
Start Microbin container
Visit https://paste.YOUR_DOMAIN.TLD and it should redirect you to Authentik sign in

Note: You'll need to make sure Caddy, Microbin, and authentik-server-1 are all on the same custom network for the Caddyfile to DNS lookup the containers by name.
	---
	version: '3.4'

	services:
	postgresql:
	image: docker.io/library/postgres:14-alpine
	restart: unless-stopped
	healthcheck:
	test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
	start_period: 20s
	interval: 30s
	retries: 5
	timeout: 5s
	volumes:
	- database:/var/lib/postgresql/data
	environment:
	- POSTGRES_PASSWORD=${PG_PASS:?database password required}
	- POSTGRES_USER=${PG_USER:-authentik}
	- POSTGRES_DB=${PG_DB:-authentik}
	# env_file:
	# - .env
	redis:
	image: docker.io/library/redis:alpine
	command: --save 60 1 --loglevel warning
	restart: unless-stopped
	healthcheck:
	test: ["CMD-SHELL", "redis-cli ping \| grep PONG"]
	start_period: 20s
	interval: 30s
	retries: 5
	timeout: 3s
	volumes:
	- redis:/data
	server:
	image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}
	restart: unless-stopped
	command: server
	environment:
	AUTHENTIK_REDIS__HOST: redis
	AUTHENTIK_POSTGRESQL__HOST: postgresql
	AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
	AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
	AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
	AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
	AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
	AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
	AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT:-25}
	AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
	AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
	AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS:-false}
	AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL:-false}
	AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT:-10}
	AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
	GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
	GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
	AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
	volumes:
	- /opt/authentik_data/media:/media
	- /opt/authentik_data/custom-templates:/templates
	- geoip:/geoip
	# env_file:
	# - .env
	ports:
	- "${AUTHENTIK_PORT_HTTP:-10000}:9000"
	- "${AUTHENTIK_PORT_HTTPS:-10443}:9443"
	worker:
	image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.8.2}
	restart: unless-stopped
	command: worker
	environment:
	AUTHENTIK_REDIS__HOST: redis
	AUTHENTIK_POSTGRESQL__HOST: postgresql
	AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
	AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
	AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
	AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
	AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
	AUTHENTIK_EMAIL__HOST: ${AUTHENTIK_EMAIL__HOST}
	AUTHENTIK_EMAIL__PORT: ${AUTHENTIK_EMAIL__PORT:-25}
	AUTHENTIK_EMAIL__USERNAME: ${AUTHENTIK_EMAIL__USERNAME}
	AUTHENTIK_EMAIL__PASSWORD: ${AUTHENTIK_EMAIL__PASSWORD}
	AUTHENTIK_EMAIL__USE_TLS: ${AUTHENTIK_EMAIL__USE_TLS:-false}
	AUTHENTIK_EMAIL__USE_SSL: ${AUTHENTIK_EMAIL__USE_SSL:-false}
	AUTHENTIK_EMAIL__TIMEOUT: ${AUTHENTIK_EMAIL__TIMEOUT:-10}
	AUTHENTIK_EMAIL__FROM: ${AUTHENTIK_EMAIL__FROM}
	GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
	GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
	AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
	# This is optional, and can be removed. If you remove this, the following will happen
	# - The permissions for the /media folders aren't fixed, so make sure they are 1000:1000
	# - The docker socket can't be accessed anymore
	user: root
	volumes:
	- /opt/authentik_data/media:/media
	- /opt/authentik_data/certs:/certs
	- /var/run/docker.sock:/var/run/docker.sock
	- /opt/authentik_data/custom-templates:/templates
	- geoip:/geoip
	# env_file:
	# - .env
	geoipupdate:
	image: "maxmindinc/geoipupdate:latest"
	volumes:
	- "geoip:/usr/share/GeoIP"
	environment:
	GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
	GEOIPUPDATE_FREQUENCY: "8"
	GEOIPUPDATE_ACCOUNT_ID: ${GEOIPUPDATE_ACCOUNT_ID}
	GEOIPUPDATE_LICENSE_KEY: ${GEOIPUPDATE_LICENSE_KEY}
	AUTHENTIK_AUTHENTIK__GEOIP: ${AUTHENTIK_AUTHENTIK__GEOIP:-/geoip/GeoLite2-City.mmdb}
	# env_file:
	# - .env

	volumes:
	database:
	driver: local
	redis:
	driver: local
	geoip:
	driver: local
	{$MICROBIN_EXTERNAL_DNS:paste.myapp.local} {

	# always forward outpost path to actual outpost
	reverse_proxy /outpost.goauthentik.io/* {$AUTHENTIK_CONTAINER_NAME:authentik-server-1}:{$AUTHENTIK_PORT:9000}

	# forward authentication to outpost
	forward_auth {$AUTHENTIK_CONTAINER_NAME:authentik-server-1}:{$AUTHENTIK_PORT:9000} {
	uri /outpost.goauthentik.io/auth/caddy

	# capitalization of the headers is important, otherwise they will be empty
	copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

	# optional, in this config trust all private ranges, should probably be set to the outposts IP
	trusted_proxies private_ranges
	}
	# actual site configuration below, for example

	reverse_proxy {$MICROBIN_CONTAINER_NAME:microbin}:{$MICROBIN_PORT:8080}
	}