The Authentik stack delivers centralized identity, access management, and reverse-proxy enforcement for the rest of the platform. It runs the primary Authentik application, a background worker tier, and two proxy outposts that enforce authentication for downstream services published through Nginx Proxy Manager.
frontend_net for browser access, backend_net for cross-stack callbacks, and db_net for database access.【F:authentik/compose.yml†L5-L37】ak_templates, ak_media) preserve branding assets and exported flows across upgrades.【F:authentik/compose.yml†L12-L18】【F:authentik/compose.yml†L37-L44】.env secrets for database credentials, Redis passwords, and outpost tokens to keep sensitive values out of source control.【F:authentik/compose.yml†L28-L81】| Service | Role |
|---|---|
| authentik-server | Web application tier that hosts the Authentik admin UI, identity flows, and OAuth/OIDC providers. |
| authentik-worker | Background worker executing asynchronous policy checks, directory sync, and email pipelines. |
| ak-outpost-organizr | Reverse-proxy outpost that injects SSO in front of Organizr and other frontend applications. |
| ak-outpost-cwad | Embedded Authentik proxy used by Calibre-Web Automated Downloader and similar backend services. |
frontend_net with Nginx Proxy Manager, backend_net with CWAD) to terminate requests before they reach the upstream container.【F:authentik/compose.yml†L62-L81】