Provisioning Authentik for SSO on a Self-Hosted Ubuntu Server (Docker-Based)
Centralized authentication is one of the most impactful upgrades you can make in a home lab. This post walks through how I deployed Authentik — a self-hosted identity provider — on Ubuntu Server using Docker Compose, including a setup wizard gotcha that cost me some troubleshooting time.
Prerequisites
- A fresh or existing Ubuntu 22.04 or 24.04 LTS server.
sudoprivileges on the system.- Static IP and DNS configuration recommended.
- System updates applied.
Step 1: Install Docker Engine
I followed the official Docker post-install guide to install and configure Docker for non-root use.
Reference: Docker Post-install Guide
# Update and install required packages
sudo apt update && sudo apt upgrade -y
sudo apt install -y ca-certificates curl gnupg
# Add Docker's official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Add the Docker repository
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker Engine
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# Optional: Add your user to the docker group to avoid using sudo with every docker command
sudo usermod -aG docker $USER
newgrp docker
Step 2: Install Docker Compose (Standalone)
Authentik uses docker-compose.yml to manage its multi-container services.
Reference: Docker Compose Install Guide
# Download Docker Compose binary
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" \
-o /usr/local/bin/docker-compose
# Set permissions
sudo chmod +x /usr/local/bin/docker-compose
# Verify installation
docker-compose version
Step 3: Create Authentik Directory and Configuration
Reference: Authentik Docker Install Guide
# Create and navigate to the installation directory
mkdir -p ~/authentik
cd ~/authentik
# Download the official docker-compose.yml
curl -o docker-compose.yml https://goauthentik.io/docker-compose.yml
# Create an .env file to override configuration values
cat <<EOF > .env
AUTHENTIK_SECRET_KEY=$(openssl rand -hex 32)
POSTGRES_PASSWORD=$(openssl rand -hex 16)
AUTHENTIK_EMAIL__FROM="admin@example.com"
AUTHENTIK_EMAIL__HOST="localhost"
EOF
Step 4: Start Authentik Services
I started the containers using Docker Compose:
docker-compose pull # Pull latest images
docker-compose up -d # Start in detached mode
Step 5: Access the Web Interface
Once running, Authentik is available at:
http://<your-server-ip>:9000
or
https://<your-server-ip>:9443
Step 6: Initial Setup Wizard
I ran into trouble getting the initial setup wizard to cooperate. The wizard refused to let me create the default akadmin account over an HTTP connection. To work around this:
First, confirm that the Authentik server container is listening on port 9443:
sudo ss -tulpn | grep LISTEN
Then access the initial setup wizard over HTTPS:
https://<your server's IP or hostname>:9443/if/flow/initial-setup/
Lessons Learned
- Use HTTPS for the setup wizard. Authentik blocks initial account creation over plain HTTP — go straight to port 9443.
- Generate secrets at deploy time. The
.envfile approach withopenssl randensures unique keys per instance. Don't reuse secrets across environments. - Docker Compose plugin vs. standalone binary. Step 1 installs the Compose plugin (
docker compose), but Authentik's docs reference the standalonedocker-composebinary. Both work, but keep your invocation consistent.
Related Posts
Provisioning Samba Active Directory Domain Controller and Windows Domain Integration Integrating Samba 4 Active Directory with Authentik via LDAPS