diff --git a/ct/authentik.sh b/ct/authentik.sh index 363f30a7d..855978a6b 100644 --- a/ct/authentik.sh +++ b/ct/authentik.sh @@ -9,7 +9,7 @@ APP="Authentik" var_tags="${var_tags:-identity-provider}" var_disk="${var_disk:-12}" var_cpu="${var_cpu:-6}" -var_ram="${var_ram:-8192}" +var_ram="${var_ram:-10240}" var_os="${var_os:-debian}" var_version="${var_version:-12}" var_unprivileged="${var_unprivileged:-1}" @@ -29,6 +29,13 @@ function update_script() { fi RELEASE=$(curl -fsSL https://api.github.com/repos/goauthentik/authentik/releases/latest | grep "tarball_url" | awk '{print substr($2, 2, length($2)-3)}') if [[ "${RELEASE}" != "$(cat /opt/${APP}_version.txt)" ]] || [[ ! -f /opt/${APP}_version.txt ]]; then + NODE_VERSION="22" + PG_VERSION="16" + setup_uv + install_postgresql + install_node_and_modules + install_go + msg_info "Stopping ${APP}" systemctl stop authentik-server systemctl stop authentik-worker @@ -54,17 +61,14 @@ function update_script() { go build -o /opt/authentik/authentik-server /opt/authentik/cmd/server/ msg_ok "Built ${APP} server" - msg_info "Installing Python Dependencies" + msg_info "Building Authentik" cd /opt/authentik - $STD poetry install --only=main --no-ansi --no-interaction --no-root - $STD poetry export --without-hashes --without-urls -f requirements.txt --output requirements.txt - $STD pip install --no-cache-dir -r requirements.txt - $STD pip install . - msg_ok "Installed Python Dependencies" + $STD uv sync --frozen --no-install-project --no-dev + uv run python -m lifecycle.migrate + ln -s /opt/authentik/.venv/bin/gunicorn /usr/local/bin/gunicorn + ln -s /opt/authentik/.venv/bin/celery /usr/local/bin/celery + msg_ok "Authentik built" - msg_info "Updating ${APP} to v${RELEASE} (Patience)" - cp -r /opt/authentik/authentik/blueprints /opt/authentik/blueprints - $STD bash /opt/authentik/lifecycle/ak migrate echo "${RELEASE}" >/opt/${APP}_version.txt msg_ok "Updated ${APP} to v${RELEASE}" diff --git a/frontend/public/json/authentik.json b/frontend/public/json/authentik.json index 19eb1ff68..6f14106bb 100644 --- a/frontend/public/json/authentik.json +++ b/frontend/public/json/authentik.json @@ -20,7 +20,7 @@ "script": "ct/authentik.sh", "resources": { "cpu": 6, - "ram": 8192, + "ram": 10240, "hdd": 12, "os": "debian", "version": "12" @@ -33,7 +33,11 @@ }, "notes": [ { - "text": "Authentik is very resource-heavy, it is recommended to use at least 8GB RAM anytime!", + "text": "Authentik is very resource-heavy, it is recommended to use at least 10GB RAM anytime!", + "type": "warning" + }, + { + "text": "Some updates don't work due to massive dependency errors, it's recommended to do a backup before updating or a pg_dump and a new LXC.", "type": "warning" } ] diff --git a/install/authentik-install.sh b/install/authentik-install.sh index b3b8c13a5..63b8b3c15 100644 --- a/install/authentik-install.sh +++ b/install/authentik-install.sh @@ -15,7 +15,6 @@ update_os msg_info "Installing Dependencies (Patience)" $STD apt-get install -y \ - gpg \ pkg-config \ libffi-dev \ build-essential \ @@ -33,9 +32,15 @@ $STD apt-get install -y \ libxmlsec1-openssl \ libmaxminddb0 \ python3-pip \ + redis-server \ git msg_ok "Installed Dependencies" +setup_uv +PG_VERSION="16" install_postgresql +NODE_VERSION="22" install_node_and_modules +install_go + msg_info "Installing yq" cd /tmp YQ_LATEST="$(curl -fsSL https://api.github.com/repos/mikefarah/yq/releases/latest | grep -Po '"tag_name": "\K.*?(?=")')" @@ -56,46 +61,8 @@ cat </etc/GeoIP.conf EOF msg_ok "Installed GeoIP" -msg_info "Setting up Python 3" -cd /tmp -curl -fsSL "https://www.python.org/ftp/python/3.12.1/Python-3.12.1.tgz" -o "Python.tgz" -tar -zxf Python.tgz -cd Python-3.12.1 -$STD ./configure --enable-optimizations -$STD make altinstall -cd ~ -$STD update-alternatives --install /usr/bin/python3 python3 /usr/local/bin/python3.12 1 -msg_ok "Setup Python 3" - -msg_info "Setting up Node.js Repository" -mkdir -p /etc/apt/keyrings -curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg -echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" >/etc/apt/sources.list.d/nodesource.list -msg_ok "Set up Node.js Repository" - -msg_info "Installing Node.js" -$STD apt-get update -$STD apt-get install -y nodejs -msg_ok "Installed Node.js" - -msg_info "Installing Golang" -set +o pipefail -temp_file=$(mktemp) -golang_tarball=$(curl -fsSL https://go.dev/dl/ | grep -oP 'go[\d\.]+\.linux-amd64\.tar\.gz' | head -n 1) -curl -fsSL "https://golang.org/dl/${golang_tarball}" -o "$temp_file" -tar -C /usr/local -xzf "$temp_file" -ln -sf /usr/local/go/bin/go /usr/local/bin/go -rm -f "$temp_file" -set -o pipefail -msg_ok "Installed Golang" - -msg_info "Installing Redis" -$STD apt-get install -y redis-server -systemctl enable -q --now redis-server -msg_ok "Installed Redis" - msg_info "Installing PostgreSQL" -$STD apt-get install -y postgresql postgresql-contrib +$STD apt-get install -y postgresql-16 postgresql-contrib-16 DB_NAME="authentik" DB_USER="authentik" DB_PASS="$(openssl rand -base64 18 | cut -c1-13)" @@ -111,25 +78,29 @@ RELEASE=$(curl -fsSL https://api.github.com/repos/goauthentik/authentik/releases mkdir -p /opt/authentik curl -fsSL "${RELEASE}" -o "authentik.tar.gz" tar -xzf authentik.tar.gz -C /opt/authentik --strip-components 1 --overwrite +export NODE_OPTIONS="--max-old-space-size=4096" cd /opt/authentik/website $STD npm install $STD npm run build-bundled + cd /opt/authentik/web $STD npm install $STD npm run build -echo "${RELEASE}" >/opt/${APPLICATION}_version.txt + cd /opt/authentik $STD go mod download $STD go build -o /go/authentik ./cmd/server $STD go build -o /opt/authentik/authentik-server /opt/authentik/cmd/server/ -cd /opt/authentik -$STD pip3 install --upgrade pip -$STD pip3 install poetry poetry-plugin-export -ln -s /usr/local/bin/poetry /usr/bin/poetry -$STD poetry install --only=main --no-ansi --no-interaction --no-root -$STD poetry export --without-hashes --without-urls -f requirements.txt --output requirements.txt -$STD pip install --no-cache-dir -r requirements.txt -$STD pip install . +$STD uv sync --frozen --no-install-project --no-dev +#$STD pip3 install --no-cache-dir --upgrade pip +#$STD pip3 install --upgrade pip +#$STD pip3 install poetry poetry-plugin-export + +#ln -s /usr/local/bin/poetry /usr/bin/poetry +#$STD poetry install --only=main --no-ansi --no-interaction --no-root +#$STD poetry export --without-hashes --without-urls -f requirements.txt --output requirements.txt +#$STD pip install --no-cache-dir -r requirements.txt +#$STD pip install . mkdir -p /etc/authentik mv /opt/authentik/authentik/lib/default.yml /etc/authentik/config.yml $STD yq -i ".secret_key = \"$(openssl rand -hex 32)\"" /etc/authentik/config.yml @@ -137,23 +108,30 @@ $STD yq -i ".postgresql.password = \"${DB_PASS}\"" /etc/authentik/config.yml $STD yq -i ".geoip = \"/opt/authentik/tests/GeoLite2-City-Test.mmdb\"" /etc/authentik/config.yml cp -r /opt/authentik/authentik/blueprints /opt/authentik/blueprints $STD yq -i ".blueprints_dir = \"/opt/authentik/blueprints\"" /etc/authentik/config.yml -ln -s /usr/bin/python3 /usr/bin/python -ln -s /usr/local/bin/gunicorn /usr/bin/gunicorn -ln -s /usr/local/bin/celery /usr/bin/celery -$STD bash /opt/authentik/lifecycle/ak migrate -cd ~ +#ln -s /usr/bin/python3 /usr/bin/python +#ln -s /usr/local/bin/gunicorn /usr/bin/gunicorn +#ln -s /usr/local/bin/celery /usr/bin/celery +#$STD bash /opt/authentik/lifecycle/ak migrate +cd /opt/authentik +uv run python -m lifecycle.migrate +ln -s /opt/authentik/.venv/bin/gunicorn /usr/local/bin/gunicorn +ln -s /opt/authentik/.venv/bin/celery /usr/local/bin/celery +echo "${RELEASE}" >/opt/${APPLICATION}_version.txt msg_ok "Installed authentik" msg_info "Creating Services" cat </etc/systemd/system/authentik-server.service [Unit] -Description = authentik Server +Description=authentik Go Server (API Gateway) +After=network.target +Wants=redis.service postgresql.service [Service] -ExecStart=/opt/authentik/authentik-server WorkingDirectory=/opt/authentik/ +ExecStart=/opt/authentik/authentik-server Restart=always RestartSec=5 +Environment=DJANGO_SETTINGS_MODULE=authentik.root.settings [Install] WantedBy=multi-user.target @@ -161,21 +139,49 @@ EOF cat </etc/systemd/system/authentik-worker.service [Unit] -Description = authentik Worker +Description=authentik Celery Worker +After=network.target redis.service postgresql.service +Requires=redis.service [Service] -Environment=DJANGO_SETTINGS_MODULE="authentik.root.settings" -ExecStart=celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events -WorkingDirectory=/opt/authentik/authentik +Type=simple +WorkingDirectory=/opt/authentik +ExecStart=/opt/authentik/.venv/bin/celery \ + -A authentik.root.celery worker \ + -Ofair \ + --max-tasks-per-child=1 \ + --autoscale 3,1 \ + -Q authentik,authentik_scheduled,authentik_events \ + -E Restart=always RestartSec=5 +Environment=DJANGO_SETTINGS_MODULE=authentik.root.settings [Install] WantedBy=multi-user.target EOF -systemctl enable -q --now authentik-server -sleep 2 -systemctl enable -q --now authentik-worker + +cat </etc/systemd/system/authentik-celery-beat.service +[Unit] +Description=authentik Celery Beat Scheduler +After=network.target + +[Service] +Type=simple +WorkingDirectory=/opt/authentik +ExecStart=/opt/authentik/.venv/bin/celery \ + -A authentik.root.celery beat \ + -s /tmp/celerybeat-schedule +Restart=always +RestartSec=5 +#User=authentik +Environment=DJANGO_SETTINGS_MODULE=authentik.root.settings + +[Install] +WantedBy=multi-user.target +EOF + +systemctl enable -q --now authentik-server authentik-worker authentik-celery-beat msg_ok "Created Services" motd_ssh