|
| 1 | +# Authentik + Traefik Proxy Setup |
| 2 | + |
| 3 | +This guide supposes you have a working Authentik and Traefik setup on docker. Specifically here Traefik is label focused, with files for the dynamic configuration, but the same can be achieved with all the other configuration methods. |
| 4 | + |
| 5 | +> Important: user profiles need to be created in FoundryVTT before they can login. The user names in FoundryVTT must match the user names in Authentik, otherwise the login will fail. This is because FoundryVTT uses the `x-authentik-username` header to identify users. |
| 6 | +
|
| 7 | +## Modifying the patch |
| 8 | + |
| 9 | +You need to modify the patch (`patches.sh`) so that all `split(',')` calles are replaced with `split('|') as Authentik uses `|`as a seprator for multiple roles. This is needed to make the patch work with Authentik. I'm bad at regex and js, so I didn't modify the patch source code to support both`,`and`|`, but you can do it if you want to. |
| 10 | + |
| 11 | +You can skip the next 2 sections if you follow this [Tutorial](https://docs.ibracorp.io/authentik/authentik/docker-compose/traefik-forward-auth-single-applications) to set up Authentik with Traefik Forward Auth. |
| 12 | + |
| 13 | +## Traefik Forward Auth Configuration |
| 14 | + |
| 15 | +> Note: if you already have http and middlewares section in your dynamic config you only need to add the authentik portion |
| 16 | +> Note: this middleware can be used with any application, not just with FoundryVTT |
| 17 | +
|
| 18 | +```yaml |
| 19 | +http: |
| 20 | + middlewares: |
| 21 | + authentik: |
| 22 | + forwardauth: |
| 23 | + address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik |
| 24 | + trustForwardHeader: true |
| 25 | + authResponseHeaders: |
| 26 | + - X-authentik-username |
| 27 | + - X-authentik-groups |
| 28 | + - X-authentik-email |
| 29 | + - X-authentik-name |
| 30 | + - X-authentik-uid |
| 31 | + - X-authentik-jwt |
| 32 | + - X-authentik-meta-jwks |
| 33 | + - X-authentik-meta-outpost |
| 34 | + - X-authentik-meta-provider |
| 35 | + - X-authentik-meta-app |
| 36 | + - X-authentik-meta-version |
| 37 | +``` |
| 38 | +
|
| 39 | +where <authentik-server> is the name of your Authentik container. |
| 40 | +
|
| 41 | +## Authentik |
| 42 | +
|
| 43 | +[Authentik](https://goauthentik.io/) |
| 44 | +
|
| 45 | +Create a new applicatio with a Proxy Provider. Name it as you prefer, mine was `FoundryVTT`, set the **Extenal Host** as `foundry.<your-domain>`, you can also set the Authorization flows to be **Implicit** or **Explicit**, mine is Implicit for simplicity. |
| 46 | + |
| 47 | +Next go to the **Outpost** section, edit the default outpost and select the application you just created. |
| 48 | +Additionally edit the `authentik_host:` line and replace the URL with the subdomain.yourdomain.tld you use to access authentik externally |
| 49 | + |
| 50 | +Create 2 roles with relative groups, or as you prefer (we need the group names later): |
| 51 | + |
| 52 | +- `foundry-admin` |
| 53 | +- `foundry-user` |
| 54 | + |
| 55 | +Add users you want as players to the `foundry-user` group, and users you want as admins to the `foundry-admin` group. Remember that admin users can play as players too; they don't have to be put in both groups. |
| 56 | + |
| 57 | +## FoundryVTT |
| 58 | + |
| 59 | +```YAML |
| 60 | +foundry: |
| 61 | + image: felddy/foundryvtt:13.346.0 |
| 62 | + container_name: foundry |
| 63 | + restart: unless-stopped |
| 64 | + volumes: |
| 65 | + - <DATA_VOLUME>:/data |
| 66 | + environment: |
| 67 | + - FOUNDRY_PASSWORD=<FOUNDRY_PASSWORD> |
| 68 | + - FOUNDRY_USERNAME=<FOUNDRY_USERNAME> |
| 69 | + - CONTAINER_PATCHES=/data/patch_dir |
| 70 | +
|
| 71 | + - HEADER_USERNAME=x-authentik-username # This needs to be lowercase and present as X-authentik-username in traefik dynamic config |
| 72 | + - HEADER_ROLES=x-authentik-groups # As above, but X-authentik-groups |
| 73 | + - ROLE_PLAYER=foundry-player # This is the group name you set in Authentik for players |
| 74 | + - ROLE_ADMIN=foundry-admin # This is the group name you set in Authentik for admins |
| 75 | +
|
| 76 | + - FOUNDRY_ADMIN_KEY=<FOUNDRY_ADMIN_PASSWORD> # The admimn password is needed so that the admin login is performed only by `foundry-admin` users, otherwise anyone can login on the setup page |
| 77 | + networks: |
| 78 | + - proxy-net |
| 79 | + labels: |
| 80 | + - traefik.enable=true |
| 81 | + - traefik.docker.network=proxy-net |
| 82 | + - traefik.http.routers.foundry-secure.entrypoints=websecure |
| 83 | + - traefik.http.routers.foundry-secure.rule=Host(`foundry.$DOMAIN`) |
| 84 | + - traefik.http.routers.foundry-secure.tls=true |
| 85 | + - traefik.http.routers.foundry-secure.tls.certresolver=$CERTRESOLVER |
| 86 | + |
| 87 | + - traefik.http.routers.foundry-secure.service=foundry-service |
| 88 | + - traefik.http.routers.foundry-secure.middlewares=authentik@file # This is the middleware we created in the dynamic config |
| 89 | + |
| 90 | + - traefik.http.services.foundry-service.loadbalancer.server.port=30000 # Loadbalancing on the port. If you change it on the env_variables of the container, change it here too |
| 91 | + - traefik.http.services.foundry-service.loadbalancer.server.scheme=http |
| 92 | +``` |
| 93 | +
|
| 94 | +This way you can access FoundryVTT as specified in the README, it will be access protected by Authentik and users will be automatically logged in based on their Authentik roles. |
| 95 | +
|
| 96 | +Have fun! |
0 commit comments