authentik/env.prod.template

# SETTINGS from env.template
# Misc configuration
PUBLIC_DOMAIN=sso.base23.de
COMPOSE_PROJECT_NAME=sso-base23-de

# Server Versions
AUTHENTIK_TAG=2025.2.1
POSTGRES_TAG=16.6-alpine
REDIS_TAG=7.4.2-alpine
RESTICKER_TAG=0.0.2-restic0.17.0
NGINX_UNPRIVILEGED_TAG=1.27.2-bookworm

# Error reporting & Logging
AUTHENTIK_ERROR_REPORTING__ENABLED=true
AUTHENTIK_LOG_LEVEL=warning

# Email configuration
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=mail.base23.de
AUTHENTIK_EMAIL__PORT=25
AUTHENTIK_EMAIL__USERNAME=sso@base23.de
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=true
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=sso@base23.de

# Exposed ports for Authentik -- Ports are note exposed due to traefik setup
# COMPOSE_PORT_HTTP=80
# COMPOSE_PORT_HTTPS=443

# Liste settings
AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS="172.18.0.0/16"


# MaxMind GeoIP
GEOIPUPDATE_ACCOUNT_ID=1093308


# PostgreSQL configuration
PG_USER=authentik
PG_DB=authentik


# Nginx configuration
NGINX_HTTP_PORT=8080
NGINX_HTTPS_PORT=8443
NGINX_RESOLVER=127.0.0.11
NGINX_SERVERNAME=sso.base23.de

# NGINX SSL Config for nginx 1.27.2, intermediate config, OpenSSL 3.0.14
NGINX_SSL_SESSION_TIMEOUT=1d
NGINX_SSL_SESSION_CACHE='shared:MozSSL:10m' # about 40000 sessions
NGINX_SSL_PROTOCOLS='TLSv1.2 TLSv1.3'
NGINX_SSL_CIPHERS='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305'
NGINX_SSL_PREFER_SERVER_CIPHERS=off
NGINX_HEADER_STRICT_TRANSPORT_SECURITY='"max-age=63072000" always'
NGINX_SSL_STAPLING=on
NGINX_SSL_STAPLING_VERIFY=on


# Restic configuration
RESTIC_REPO_USER=u291924-sub4
RESTIC_REPO_ADDRESS=cloud.backup.base23.de
RESTIC_REPO_PORT=22
RESTIC_TAG=sso.base23.de