Authentik on VPS: installation, configuration, and maintenance

Authentik on a VPS is the deployment of a modern open-source Identity and Access Management (IAM) platform on your own virtual private server, providing centralized user authentication and authorization for multiple applications. Its installation, configuration, and maintenance via Docker Compose allow for flexible control over the entire infrastructure.

In today's digital landscape, managing access to applications and services has become one of the key challenges for companies of all sizes. From small startups to large enterprises, everyone faces the need to provide secure and convenient access for their employees and customers. This is where Authentik comes in – a powerful and flexible Identity and Access Management (IAM) platform that allows you to centralize authentication, authorization, user management, and much more.

Deploying Authentik on a VPS (Virtual Private Server) opens up wide possibilities. You gain full control over your IAM infrastructure, ensure a high level of security, flexibility in configuration and scaling, and avoid vendor lock-in to specific cloud providers. In this article, we will delve into what Authentik is, why it's needed, its system requirements, and guide you through the complete process of installing Authentik on a server using Docker and Docker Compose, configuring a reverse proxy with HTTPS, and discuss maintenance issues, including backups and updates. We will also provide recommendations for choosing the optimal VPS configuration for real-world loads to ensure your platform always runs stably and efficiently.

What is Authentik and why is it needed on a VPS?

Authentik is a modern, open-source Identity and Access Management (IAM) platform that provides a wide range of features for centralized user authentication and authorization. Essentially, it's a Single Sign-On (SSO) solution and a powerful mechanism for implementing Multi-Factor Authentication (MFA), managing users and groups, and integrating with various applications and protocols.

The main idea behind Authentik is to simplify and secure the process of accessing your services. Instead of users remembering dozens of logins and passwords for each application, they authenticate once with Authentik and then gain seamless access to all integrated systems. This not only enhances user convenience but also significantly improves overall security by allowing the application of strong password policies, MFA, and other protection mechanisms centrally.

Key Features of Authentik

• Single Sign-On (SSO): Users log in once and gain access to all connected applications without re-entering credentials.
• Multi-Factor Authentication (MFA): Support for TOTP, WebAuthn (FIDO2), SMS, Email, Duo, as well as the ability to create custom MFA providers.
• User and Group Management: Centralized creation, modification, and deletion of accounts, as well as group membership management.
• Authentication Protocols: Support for OAuth2, OpenID Connect (OIDC), SAML, LDAP, RADIUS, SCIM, ensuring broad compatibility with existing applications.
• Directory Integration: Synchronization of users and groups with external directories such as Active Directory, LDAP, Azure AD.
• Access Policies: Flexible policies for controlling access based on groups, IP addresses, time of day, and other parameters.
• Audit and Logging: Detailed logs of all authentication and authorization events to ensure compliance with security requirements.
• Self-service Portal: Users can manage their own accounts, reset passwords, and configure MFA.

Advantages of Authentik self-hosted on a VPS

Deploying Authentik self-hosted on a VPS offers several significant advantages compared to using cloud IAM services or disparate authentication systems:

1. Full Control and Data Sovereignty: Your data and authentication logs remain entirely under your control. You are not dependent on the policies and infrastructure of third-party providers. This is especially important for companies with strict privacy and regulatory compliance requirements.
2. Flexibility and Customization: You can configure Authentik to precisely meet your unique needs, integrate it with any of your infrastructure, and adapt the user interface.
3. Long-term Cost Savings: While the initial setup of Authentik on a VPS requires effort, in the long run, it can be significantly cheaper than monthly fees for commercial IAM solutions, especially as the number of users grows.
4. Performance: You control the resources of your VPS, allowing you to optimize Authentik's performance for your specific workloads, avoiding the "noisy neighbor" effect on shared hosting.
5. Security: You manage server security yourself, set your own firewall rules, conduct audits and updates, allowing you to create a maximally secure environment.
6. No Vendor Lock-in: As an open-source solution, Authentik does not tie you to a specific vendor, giving you freedom of choice and migration.

Choosing a VPS for Authentik deployment is particularly relevant for those who value independence, control, and efficiency. Self-managed VPS from Valebyte.com is ideal for such tasks, providing powerful resources and full access for installing and configuring any applications, including Authentik.

System Requirements for Authentik: Which VPS to choose?

Before proceeding with Authentik installation, it's important to ensure that your VPS meets the minimum and recommended system requirements. Authentik, like many modern applications, actively uses a database (PostgreSQL) and caching (Redis), so disk subsystem performance and RAM capacity play a key role. Since we will be using Authentik Docker, this also imposes certain resource requirements.

Minimum Requirements for Small Deployments (up to 50 active users / 5-10 applications)

• Operating System: Ubuntu 20.04+, Debian 11+, CentOS 7+/Rocky Linux 8+. Ubuntu Server LTS is recommended for ease of use and broad support.
• Processor (CPU): 2 vCPU. This will be sufficient for small loads, but the higher the core frequency, the better.
• Random Access Memory (RAM): 4 GB. Authentik itself consumes about 1-2 GB, plus PostgreSQL and Redis also require memory. Docker containers also use resources.
• Disk Space: 50 GB NVMe SSD. NVMe is highly recommended due to high I/O speeds, which is critical for the database. HDD or SATA SSD can significantly slow down performance.
• Network Interface: 100 Mbps or 1 Gbps.
• Public IP Address: Required for external access to Authentik and HTTPS operation.

Recommended Requirements for Medium Deployments (up to 500 active users / 20-50 applications)

• Processor (CPU): 4 vCPU.
• Random Access Memory (RAM): 8 GB.
• Disk Space: 100 GB NVMe SSD.
• Network Interface: 1 Gbps.

Recommended Requirements for Large Deployments (more than 500 active users / 50+ applications)

For large Authentik deployments, especially if you expect high concurrent load, a more powerful VPS or even a dedicated server will be required. In this case, it makes sense to consider scaling the database and Redis to separate instances or using clusters.

• Processor (CPU): 8+ vCPU.
• Random Access Memory (RAM): 16+ GB.
• Disk Space: 200+ GB NVMe SSD (with expansion capability).
• Network Interface: 1 Gbps with guaranteed bandwidth.

Important note on disks: NVMe SSD is not just a recommendation, but almost a requirement for stable and fast Authentik operation, especially with a large number of database operations (logs, sessions, synchronization). The performance difference between NVMe and regular SSDs or HDDs can be enormous.

When choosing a VPS from Valebyte.com, pay attention to plans with NVMe SSD and sufficient RAM. If you are unsure which plan to choose, it's better to start with a slightly more powerful one and scale down if necessary, rather than facing performance issues due to insufficient resources.

Step-by-step Authentik Installation on VPS with Docker Compose

Authentik installation on a VPS will be performed using Docker and Docker Compose. This allows for easy deployment of all necessary components (Authentik, PostgreSQL, Redis) in isolated containers, ensuring simplicity of management, updates, and scaling. This method is ideal for Authentik self-hosted solutions.

Preparing the VPS for Authentik Installation

Before proceeding with the deployment, you need to prepare your VPS. We assume you are using Ubuntu Server 22.04 LTS operating system.

1. System Update:

   Connect to your VPS via SSH and update all system packages:

   sudo apt update && sudo apt upgrade -y

2. Docker Installation:

   Install Docker Engine. It is recommended to use the official script for a stable installation:

   sudo apt install ca-certificates curl gnupg lsb-release -y
   sudo mkdir -p /etc/apt/keyrings
   curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
   echo \
     "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
     $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
   sudo apt update
   sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y

   Add the current user to the docker group to avoid using sudo when working with Docker:

   sudo usermod -aG docker $USER
   newgrp docker

   Verify Docker installation:

   docker run hello-world

3. Docker Compose Installation (if not installed as a plugin):

   If you installed docker-compose-plugin, then docker compose is already available. If not, or if you prefer the older docker-compose version:

   sudo apt install docker-compose -y

   In this article, we will use the new docker compose syntax (without a hyphen).

4. Domain Name and DNS Configuration:

   Ensure you have a registered domain name (e.g., auth.yourdomain.com) and that the A-record for this domain points to your VPS's public IP address. This is critically important for HTTPS and Let's Encrypt to work.

5. Firewall Port Opening:

   Configure your firewall (e.g., UFW) to allow incoming connections on ports 80 (HTTP) and 443 (HTTPS), as well as 22 (SSH).

   sudo ufw allow ssh
   sudo ufw allow http
   sudo ufw allow https
   sudo ufw enable

   Confirm firewall activation by pressing y.

Deploying Authentik with Docker Compose

Now that the VPS is ready, we can proceed with Authentik deployment. We will create a docker-compose.yml file that will define all necessary services.

1. Creating a Directory for Authentik:

   Create a separate directory for all Authentik files:

   mkdir authentik && cd authentik

2. Creating the .env file:

   Authentik uses environment variables for configuration. Create an .env file in the authentik directory:

   nano .env

   And add the following content, replacing your.domain.com with your domain and generating strong passwords/secrets:

   AUTHENTIK_SECRET_KEY=your_very_long_and_random_secret_key_for_authentik
   AUTHENTIK_HOST=https://auth.yourdomain.com
   
   PG_PASS=your_strong_postgres_password
   PG_HOST=authentik-database
   PG_NAME=authentik
   PG_USER=authentik
   
   REDIS_HOST=authentik-redis
   REDIS_PORT=6379

   Important: AUTHENTIK_SECRET_KEY must be very long and random (minimum 50 characters). You can generate it, for example, with the command openssl rand -base64 48.

3. Creating the docker-compose.yml file:

   Create a docker-compose.yml file in the same directory:

   nano docker-compose.yml

   And add the following content:

   version: '3.9'
   
   services:
     authentik-database:
       image: postgres:15-alpine
       restart: unless-stopped
       healthcheck:
         test: ["CMD-SHELL", "pg_isready -d $$PG_NAME -U $$PG_USER"]
         start_period: 20s
         interval: 30s
         retries: 5
         timeout: 5s
       volumes:
         - database-data:/var/lib/postgresql/data
       environment:
         POSTGRES_PASSWORD: ${PG_PASS}
         POSTGRES_USER: ${PG_USER}
         POSTGRES_DB: ${PG_NAME}
   
     authentik-redis:
       image: redis:7-alpine
       restart: unless-stopped
       healthcheck:
         test: ["CMD-SHELL", "redis-cli ping"]
         start_period: 20s
         interval: 30s
         retries: 5
         timeout: 5s
       volumes:
         - redis-data:/data
   
     authentik-server:
       image: ghcr.io/goauthentik/authentik:2023.10.3 # Use the actual version
       restart: unless-stopped
       command: server
       environment:
         AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
         AUTHENTIK_HOST: ${AUTHENTIK_HOST}
         AUTHENTIK_DATABASE__HOST: ${PG_HOST}
         AUTHENTIK_DATABASE__NAME: ${PG_NAME}
         AUTHENTIK_DATABASE__USER: ${PG_USER}
         AUTHENTIK_DATABASE__PASSWORD: ${PG_PASS}
         AUTHENTIK_REDIS__HOST: ${REDIS_HOST}
       volumes:
         - media:/media
         - custom-templates:/templates
       ports:
         - "9000:9000" # HTTP
         - "9443:9443" # HTTPS (for built-in proxy, we will use Nginx/Caddy)
   
     authentik-worker:
       image: ghcr.io/goauthentik/authentik:2023.10.3 # Use the actual version
       restart: unless-stopped
       command: worker
       environment:
         AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
         AUTHENTIK_HOST: ${AUTHENTIK_HOST}
         AUTHENTIK_DATABASE__HOST: ${PG_HOST}
         AUTHENTIK_DATABASE__NAME: ${PG_NAME}
         AUTHENTIK_DATABASE__USER: ${PG_USER}
         AUTHENTIK_DATABASE__PASSWORD: ${PG_PASS}
         AUTHENTIK_REDIS__HOST: ${REDIS_HOST}
       volumes:
         - media:/media
         - custom-templates:/templates
       # No need to open ports for worker, it communicates via the internal Docker network
   
   volumes:
     database-data:
     redis-data:
     media:
     custom-templates:

   Note: Replace 2023.10.3 with the most current stable version of Authentik. You can check the latest version on Authentik's GitHub page.

4. Starting Authentik:

   Save docker-compose.yml and start all services:

   docker compose up -d

   The -d option runs containers in the background. Wait for all containers to start. You can check their status:

   docker compose ps

   Ensure all services have a running status and their health is also good.

5. Initializing Authentik and Creating a Superuser:

   After the first launch, Authentik needs to initialize the database and create the first administrator. Authentik will perform migrations automatically on first startup, but you need to create a superuser. This is done via the worker container:

   docker compose exec authentik-worker authentik shell
   > from authentik.core.models import User
   > User.objects.create_superuser('akadmin', '[email protected]', 'your_super_strong_password')
   > exit()

   Replace akadmin, [email protected], and your_super_strong_password with your desired credentials. Use a very strong password!

At this point, Authentik is running and accessible on your VPS via ports 9000 (HTTP) and 9443 (HTTPS) within the Docker network. However, to access it externally via a domain name with HTTPS, we will need to configure a reverse proxy.

Configuring Reverse Proxy and HTTPS for Authentik

Direct access to Authentik via IP address and non-standard ports is undesirable from a security and convenience perspective. For this, we will use a reverse proxy server, which will accept all incoming requests on standard ports (80 and 443), forward them to Authentik, and provide HTTPS encryption using Let's Encrypt. We will cover two popular options: Nginx and Caddy.

Configuring Nginx as Reverse Proxy

Nginx is a high-performance web server and reverse proxy, widely used for such tasks.

1. Installing Nginx:

   sudo apt install nginx -y

2. Creating Nginx Configuration File for Authentik:

   Create a new configuration file for your domain:

   sudo nano /etc/nginx/sites-available/authentik.conf

   And add the following content, replacing auth.yourdomain.com with your domain:

   server {
       listen 80;
       listen [::]:80;
       server_name auth.yourdomain.com;
   
       location / {
           return 301 https://$host$request_uri;
       }
   }
   
   server {
       listen 443 ssl http2;
       listen [::]:443 ssl http2;
       server_name auth.yourdomain.com;
   
       ssl_certificate /etc/letsencrypt/live/auth.yourdomain.com/fullchain.pem; # Will be created by Certbot
       ssl_certificate_key /etc/letsencrypt/live/auth.yourdomain.com/privkey.pem; # Will be created by Certbot
       ssl_trusted_certificate /etc/letsencrypt/live/auth.yourdomain.com/chain.pem;
   
       include /etc/letsencrypt/options-ssl-nginx.conf;
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
   
       location / {
           proxy_pass http://127.0.0.1:9000; # Authentik HTTP port
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
           proxy_buffering off;
       }
   
       # For WebSocket connections (Live updates, etc.)
       location /ws {
           proxy_pass http://127.0.0.1:9000;
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       }
   }

3. Activating the Configuration:

   sudo ln -s /etc/nginx/sites-available/authentik.conf /etc/nginx/sites-enabled/
   sudo nginx -t
   sudo systemctl restart nginx

4. Installing Certbot for Let's Encrypt:

   Certbot automates obtaining and renewing Let's Encrypt SSL certificates.

   sudo apt install certbot python3-certbot-nginx -y

5. Obtaining an SSL Certificate:

   Run Certbot, specifying your domain:

   sudo certbot --nginx -d auth.yourdomain.com

   Follow the on-screen instructions. Certbot will automatically configure Nginx to use HTTPS and add the necessary directives. You may need to select "Redirect" for automatic HTTP to HTTPS redirection.

6. Verification:

   Open your domain (e.g., https://auth.yourdomain.com) in a browser. You should see the Authentik login page. Log in with the superuser you created earlier.

Configuring Caddy as Reverse Proxy

Caddy is a modern web server that simplifies HTTPS configuration thanks to built-in Let's Encrypt automation.

1. Installing Caddy:

   Install Caddy by following the official documentation (for Ubuntu):

   sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
   curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
   curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
   sudo apt update
   sudo apt install caddy -y

2. Creating a Caddyfile for Authentik:

   Caddy uses a Caddyfile for configuration. Create or edit the file:

   sudo nano /etc/caddy/Caddyfile

   And add the following content, replacing auth.yourdomain.com with your domain:

   auth.yourdomain.com {
       reverse_proxy 127.0.0.1:9000 {
           header_up Host {host}
           header_up X-Real-IP {remote_ip}
           header_up X-Forwarded-For {remote_ip}
           header_up X-Forwarded-Proto {scheme}
           header_up Upgrade {http.request.header.Upgrade}
           header_up Connection {http.request.header.Connection}
       }
   }

   Caddy will automatically obtain and renew SSL certificates for auth.yourdomain.com. It will also automatically redirect HTTP to HTTPS.

3. Verifying and Starting Caddy:

   sudo caddy validate
   sudo systemctl restart caddy

4. Verification:

   Open your domain (e.g., https://auth.yourdomain.com) in a browser. You should see the Authentik login page.

Both options (Nginx and Caddy) handle the reverse proxy role excellently. Caddy is often chosen for its simplicity and automatic HTTPS configuration, while Nginx offers more granular control and extensive features, which can be important for more complex infrastructures.

Basic Authentik Maintenance: Backups and Updates

Maintaining Authentik's operability and security on a server requires regular maintenance, including data backup and timely software updates. These are critically important aspects for any self-hosted application.

Authentik Backup Strategies

Your Authentik data includes the PostgreSQL database (users, applications, policies, logs) and media files/templates. Backups should cover both of these parts.

1. PostgreSQL Database Backup:

   The most important part is the database. Use the pg_dump utility to create a database dump. It is recommended to do this regularly, for example, daily.

   # Navigate to the Authentik directory
   cd /path/to/your/authentik
   
   # Stop Authentik for a consistent backup (optional, but recommended for large systems)
   # docker compose stop authentik-server authentik-worker
   
   # Perform database backup
   docker compose exec authentik-database pg_dump -U $PG_USER -d $PG_NAME > authentik_db_backup_$(date +%Y%m%d%H%M%S).sql
   
   # If you stopped services, start them again
   # docker compose start authentik-server authentik-worker

   Replace $PG_USER and $PG_NAME with the values from your .env file. For simplicity, you can create a script that reads these variables. The .sql backup file will be created in the current directory (Authentik directory).

2. Docker Volumes Backup:

   In addition to the database, Authentik stores media files and custom templates in Docker volumes:

   • media: for user images, logos, and other media files.
   • custom-templates: for any modified Authentik templates.
   • database-data: PostgreSQL data.
   • redis-data: Redis data.

   You can create tar archives of these volumes. Example for the media volume:

   docker run --rm --volumes-from authentik-server -v $(pwd):/backup ubuntu tar cvf /backup/authentik_media_backup_$(date +%Y%m%d%H%M%S).tar /media

   This approach requires the authentik-server container to be running, as it "owns" the media volume. Repeat for custom-templates.

   More reliable approach: Use tools for Docker volume backup or simply back up the entire /var/lib/docker/volumes/ directory (after stopping Docker) or use specialized file system backup tools that can work with live volumes.

3. Automation and Backup Storage:
   • Cron: Configure cron jobs to run backup scripts daily.
   • Remote Storage: Never store backups on the same VPS as the production system. Use remote storage (S3-compatible storage, SCP to another server, Google Drive, Dropbox) to ensure fault tolerance.
   • Backup Rotation: Implement a rotation policy (e.g., keep 7 daily, 4 weekly, 3 monthly backups).

Updating Authentik

Updating Authentik in Docker Compose is a relatively simple process that involves pulling new images and restarting containers. Always check the official Authentik documentation before updating, as there may be specific instructions for major versions.

1. Checking for the Latest Version:

   Visit the Authentik GitHub repository or their official website to find the latest stable version.

2. Updating the docker-compose.yml file:

   Edit docker-compose.yml and change the image tag for authentik-server and authentik-worker to the new version (e.g., from 2023.10.3 to 2023.12.0):

   # ...
     authentik-server:
       image: ghcr.io/goauthentik/authentik:2023.12.0 # Updated version
   # ...
     authentik-worker:
       image: ghcr.io/goauthentik/authentik:2023.12.0 # Updated version
   # ...

3. Performing the Update:

   Navigate to the Authentik directory and execute the commands:

   # Create a backup before updating (MANDATORY!)
   cd /path/to/your/authentik
   # ... perform backup commands as described above ...
   
   # Stop and remove old containers
   docker compose down
   
   # Pull new images and start containers
   docker compose pull
   docker compose up -d

   docker compose pull will download new image versions. docker compose up -d will recreate containers with new images, while preserving data in volumes. Authentik will automatically perform necessary database migrations on startup.

4. Post-Update Verification:

   After startup, ensure all containers are running and Authentik is accessible via your domain. Check logs for any errors.

Regular backups and timely updates are the key to stable, secure, and up-to-date operation of your Authentik installation on a VPS. Do not neglect these procedures.

Optimal VPS Configuration for Authentik under Real-World Load

Choosing the right VPS configuration for Authentik is critical to ensure stable performance and responsiveness of your IAM platform. "Real-world load" can vary greatly depending on the number of users, authentication frequency, number of integrated applications, and the use of features such as synchronization with external directories or complex policies. Here we will look at typical scenarios and suggest corresponding configurations.

Factors Affecting VPS Requirements

• Number of active users: How many users will regularly authenticate?
• Number of integrated applications: The more applications use Authentik for SSO, the higher the load.
• Authentication frequency: Peak loads (e.g., Monday morning) or a constant stream of requests.
• MFA usage: Some MFA methods may require more resources or external services.
• Directory synchronization: Frequent synchronization with large LDAP/AD directories can be resource-intensive.
• Logging and auditing: Large volumes of logs require more disk space and IOPS.
• API usage: If Authentik is actively used via API, this also increases the load.

Table of VPS Configuration Recommendations for Authentik

The configurations presented below are general recommendations. For mission-critical systems or very large deployments, more detailed analysis and testing may be required.

Load Scenario	Active Users / Applications	vCPU	RAM (GB)	Disk (NVMe SSD)	Network Interface	Approximate Cost (USD/month)
Initial / Test	10-50 / 5-10	2	4	50 GB	1 Gbps	$10 - $20
Small Business / Department	50-200 / 10-25	4	8	100 GB	1 Gbps	$20 - $40
Medium Business / Organization	200-500 / 25-50	6	16	200 GB	1 Gbps	$40 - $80
Large Business / Enterprise	500+ / 50+	8+	32+	400+ GB	1 Gbps (guaranteed)	$80 - $150+

Table Explanations:

• vCPU: Authentik scales well with cores. More cores mean better parallel request processing.
• RAM: Authentik, PostgreSQL, and Redis are the main memory consumers. Insufficient RAM will lead to active swap usage and a sharp drop in performance. 8 GB RAM is a reasonable minimum for a production environment.
• Disk (NVMe SSD): This is one of the most critical parameters. PostgreSQL actively writes to disk, and a slow disk will become a bottleneck. NVMe SSD provides significantly higher IOPS compared to SATA SSDs or, even more so, HDDs. For high-load scenarios or large log volumes, NVMe is mandatory.
• Network Interface: 1 Gbps is standard for modern VPS. For very large deployments, ensure the provider guarantees high bandwidth, not just "up to 1 Gbps."
• Approximate Cost: Prices can vary greatly depending on the provider, location, and additional services. Valebyte.com offers competitive rates with NVMe SSDs that are ideal for Authentik.

Additional Recommendations:

1. Monitoring: After deployment, set up a monitoring system (e.g., Netdata, Prometheus with Grafana) to track CPU, RAM, disk IOPS, and network traffic. This will help you understand your system's real needs and scale your VPS in a timely manner.
2. Scaling: If you expect significant growth, consider using larger VPS or even dedicated servers. In some cases, for very large deployments, it may be advisable to move the database and Redis to separate, optimized instances.
3. Backup: Ensure your backup plan meets your recovery time objective (RTO) and recovery point objective (RPO) requirements.
4. Security: Regularly update the OS, Docker, and Authentik, use strong passwords, and configure a firewall.

Choosing the optimal VPS configuration for Authentik is an investment in the stability and security of your infrastructure. Start with a reasonable minimum based on your current needs, and be prepared to scale as the load grows. Valebyte.com offers flexible VPS plans that can be adapted to any Authentik requirements, from test environments to high-load production systems.

Frequently Asked Questions about Authentik on a Server

When deploying and operating Authentik on a server, especially when using the Authentik Docker approach, a number of typical questions arise. Below, we have compiled answers to the most common ones to help you with the installation, configuration, and maintenance process.

1. Can Authentik be used without Docker?

Theoretically, yes, Authentik can be installed without Docker by manually configuring all dependencies (Python, PostgreSQL, Redis, etc.). However, this approach is significantly more complex, requires more time for setup and support, and complicates the update process. Authentik developers actively recommend and support only deployment via Docker/Docker Compose due to its simplicity, portability, and component isolation.

2. How do I change the Authentik superuser password if I forgot it?

You can reset the superuser password using the authentik shell command inside the authentik-worker container:

cd /path/to/your/authentik
docker compose exec authentik-worker authentik shell
> from authentik.core.models import User
> user = User.objects.get(username='akadmin') # Replace akadmin with your username
> user.set_password('your_new_super_strong_password')
> user.save()
> exit()

Be sure to use a strong password.

3. What ports does Authentik use by default?

Inside the Docker container, Authentik by default uses port 9000 for HTTP and 9443 for HTTPS (built-in proxy). However, as we discussed, for external access, it is recommended to use a reverse proxy (Nginx or Caddy), which will listen on standard ports 80 and 443 and forward requests to Authentik's internal port 9000.

4. How to configure Authentik to work with multiple domain names?

If you need Authentik to be accessible via multiple domain names, you can configure your reverse proxy (Nginx or Caddy) to handle these domains. For Nginx, this would mean adding additional server_name blocks and possibly separate SSL certificates. In Authentik itself, the AUTHENTIK_HOST variable in the .env file should contain the primary domain name, but Authentik usually works correctly with requests coming through a reverse proxy, regardless of the Host header, if it is properly proxied.

5. What to do if Authentik does not start after an update?

If Authentik does not start after an update, follow these steps:

1. Check container logs:

   cd /path/to/your/authentik
   docker compose logs authentik-server authentik-worker

   Look for errors, especially those related to the database or configuration.

2. Check container status:

   docker compose ps

   Ensure all containers have a running status and health.

3. Check the .env file and docker-compose.yml: Make sure all environment variables and configurations are correct and have not been accidentally changed.
4. Restore from backup: If nothing else helps, this is why you always make backups before updating. Restore the database and volumes from the last working backup.

6. How to improve Authentik performance?

To improve Authentik performance:

• Scale your VPS: Increase the number of vCPUs, RAM, and most importantly, ensure a fast NVMe SSD.
• Optimize PostgreSQL: If you have a very high load, consider fine-tuning PostgreSQL or moving it to a separate, more powerful instance.
• Configure Redis: Ensure Redis is running efficiently and has enough memory.
• Optimize Reverse Proxy: Make sure Nginx or Caddy are optimally configured to handle a large number of connections.
• Distribute the load: For very large deployments, consider using multiple Authentik instances behind a load balancer.

7. Can I use Authentik for authentication with Windows AD or LDAP?

Yes, Authentik has built-in support for integration with LDAP and Active Directory. You can configure User Sources providers to synchronize users and groups from your AD/LDAP, allowing Authentik to be used as a single point of authentication for your existing infrastructure.

8. Where is Authentik data stored?

Authentik's main data is stored in the following locations:

• PostgreSQL Database: Contains all information about users, applications, policies, sessions, and logs. Stored in the database-data volume.
• Redis: Used for caching and sessions. Stored in the redis-data volume.
• Media Files: User avatars, application logos, and other media data are stored in the media volume.
• Custom Templates: If you have modified Authentik UI templates, they are stored in the custom-templates volume.

All these volumes are created by Docker Compose and are located in the /var/lib/docker/volumes/ directory on your VPS.

We hope these answers help you work more confidently with Authentik on your server.

Conclusion

Deploying Authentik on a VPS is a powerful and flexible solution for centralized identity and access management, providing full control over your security infrastructure. By following the step-by-step instructions for installing Authentik via Docker Compose, configuring a reverse proxy with HTTPS, and performing regular maintenance, you will achieve a reliable and scalable platform.

To ensure optimal performance and security of your Authentik instance, it is crucial to choose a VPS with sufficient resources, especially with NVMe SSD. Valebyte.com offers high-performance VPS with NVMe drives that are ideally suited for hosting Authentik and other mission-critical applications, ensuring the stability and speed of your IAM system.