The primary Authentik application container serves the administrative UI, identity provider endpoints, and policy engines. It exposes the /server command entrypoint, stores uploaded media and templates on dedicated volumes, and brokers authentication flows for downstream services published through Nginx Proxy Manager.【F:authentik/compose.yml†L19-L45】
ghcr.io/goauthentik/server:2025.8.4serverunless-stoppedak_media:/media, ak_templates:/templatesfrontend_net, backend_net, db_netKey environment variables are sourced from the stack .env file:
| Variable | Purpose |
|---|---|
AUTHENTIK_SECRET_KEY |
Core application signing key. |
AUTHENTIK_POSTGRESQL__HOST/PORT/NAME/USER/PASSWORD |
Database connectivity routed to the shared postgres container on db_net. |
AUTHENTIK_REDIS__HOST/PORT/DB/PASSWORD |
Session and cache backend hosted on the shared redis service. |
AUTHENTIK_COOKIE_DOMAIN / AUTHENTIK_HOST |
Public URLs that must match DNS used by frontend_net applications. |
POSTGRES_PASSWORD |
Legacy variable retained for compatibility with Authentik migrations. |
All sensitive values (*_PASSWORD, tokens) are expected to be injected through the environment rather than committed to source control.【F:authentik/compose.yml†L24-L56】
depends_on clause ensures sequencing with those containers.【F:authentik/compose.yml†L46-L58】AUTHENTIK_HOST. Review those stack pages before rotating URLs or secrets.【F:tools/compose.yml†L26-L177】【F:devtools/compose.yml†L120-L187】https://auth.bryanwank.com via the reverse proxy defined in the Frontdoor stack.AUTHENTIK_SECRET_KEY remains constant so existing sessions remain valid.